Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Wireless Networking Networking

ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers (bleepingcomputer.com) 24

A report from BleepingComputer notes that ASUS "has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices." But there's more bad news: Taiwan's CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware upload vulnerability allowing unauthenticated, remote attackers to execute system commands on the device. The flaw impacts multiple ASUS router models, but not all will be getting security updates due to them having reached their end-of-life (EoL).

Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to manage and download files directly to a connected USB storage device via torrent, HTTP, or FTP. The newly released Download Master version 3.1.0.114 addresses five medium to high-severity issues concerning arbitrary file upload, OS command injection, buffer overflow, reflected XSS, and stored XSS problems.

This discussion has been archived. No new comments can be posted.

ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers

Comments Filter:
  • I have a router that is definitely not EOL and is very similar to one of the 7 on the list but no new updates for it... not feeling really awesome about this.

  • Either buy real network hardware from a serious manufacturer with proper support or, for the more budget conscious, just build your own with Linux. A low power, fanless mini-pc, with quad gigabit ports will cost you less than some of these modern toy routers, put a minimal install of Debian stable on it, and enable auto updates. You get way more power and flexibility, but no web-gui. Just done the first reinstall of mine since it was first setup (and largely untouched since) in 2017 - a few too many things

    • Re: (Score:3, Insightful)

      by AmiMoJo ( 196126 )

      None of this is at all practical for most people.

      The blame lies entirely with ASUS. What we need is a way to notify affected users. Maybe we could have a service like Have I Been Pwned, but for hardware, where you can register your device. Maybe a mandatory QR code on the box that you scan and it sets up notification emails for you.

      Also a clear, large font display of the EOL date, and a note that the device must be replaced after that date. Tax for every year less than 15 where there is no support, to cover

    • I agree totally of course since I have been running my network with PFSense and OPNSense for years now and it's great but at least on those BSD platforms one issue for the average user is a lack of any real WiFi support so to recomend it to people means they are going to have to transition to a split system with a seperate AP to manage. It's not the end of the world but that combined unit simplcitiy is appealing for your basic big-box router and non-technical user.

      Is there Linux based hardware devices that

      • pfSense is probably a good option, I might have gone that was if it was Linux based. But with no BSD experience and thinking I might want to do other stuff on the router than just routing, I went with Linux. I assume pfSense gets good updates? OpenWRT runs on x68 as well, but their updates are a bit infrequent - though still better than usual consumer stuff.

        Is there Linux based hardware devices that can do an all in one package like that for folks that want a single box to manage? Or can you drop in a network card and create your own AC/AX/BE networks?

        My little box has internal wifi (I think usb attached though) but I didn't imagine it'd be up to the job. With a pcie card, probably necessitating a sli

        • I assume pfSense gets good updates? OpenWRT runs on x68 as well, but their updates are a bit infrequent - though still better than usual consumer stuff.

          It does, just checking my router now and a June 17 major update is available (2.7.0), a primary reason I wanted to move to an x86 platform but as i mentioned pretty much everyone using anything BSD says the wifi support in general is pretty lacking. A few folks have made a single box solution but it's pretty"held together with duct tape and zip ties" type of software.

          . I prefer separate APs though, especially as I need more than one

          Absolutely agree, nothing but good things to say about my Ubiquiti AP but you know it's just not something that is as close to non-techie fri

        • pfSense is probably a good option, I might have gone that was if it was Linux based. But with no BSD experience and thinking I might want to do other stuff on the router than just routing, I went with Linux. I assume pfSense gets good updates?

          I'm a pretty avid user of pfSense, particularly for dual-WAN setups. Although I do feel less manly for not hand-crafting my own pf.conf file, especially Henning Brauer referred to it as "pf non-sense" in response to a question I once asked him about it.

          That being said, I think the graphical interface is quite nice. I like that I can temporarily disable a rule without deleting it, something I don't see in a lot of consumer-grade routers. For example, when renewing certificates from Let's Encrypt, I can tempo

    • I agree in the sense that I have done this, and am still running my self-built router.
      Now, I'm one of those insane people that run Gentoo on it, and haven't reinstalled since at least 2014 (oldest file in /etc). All up to date of course, and I love pampering it.

      Would I recommend anyone else do this? No way...
      At best to fairly technical people I'd suggest to buy a mini-pc and install openWRT on it. But! openwrt lacks udev. So any hw configuration change will probably mess up network interfaces (renumbering a

    • by MobyDisk ( 75490 )

      What about people whose routers are provided by their ISP?

"Nuclear war can ruin your whole compile." -- Karl Lehenbauer

Working...