A security researcher discovered that some SOHO routers from ASUS can be accessed from the Internet even if the WAN access feature is disabled. The vendor has prepared a firmware update to address the issue.
David Longenecker noticed last month that ASUS routers running ASUSWRT firmware (models with RT- in their name) can be accessed remotely from the Web even if the “Enable Web Access from WAN” feature is disabled. The only condition is that the device’s firewall feature is not enabled.
According to the expert, if the “Enable Firewall” option is set to “no,” it overrides the remote access setting that should ensure a router cannot be accessed from the Internet. This allows a hacker who knows the targeted user’s IP address to remotely access the router. Then, they only need to figure out the password to the administration interface and they can completely compromise the device. As experts often pointed out, many users set weak passwords on their routers or don’t even bother changing the one assigned by default.
By default, WAN access is disabled and the firewall is enabled, but some users might disable the firewall thinking that unauthorized parties should not be able to access their router’s interface from the Internet with the remote management feature turned off. Using Shodan, Longenecker identified roughly 122,000 ASUS routers with a publicly accessible HTTP service. The expert also discovered 15,000 devices with an accessible HTTPS service.
“I would expect most administrators that took the time to restrict access to HTTPS, also took the time to restrict such access to only local devices. In other words, 15,000 people made an effort to secure their routers, and yet could still be pwned from an Internet attacker,” the researcher explained on his blog.
An analysis of the most recent version of the firmware (220.127.116.118.9460) revealed that the issue is caused by a design flaw in the iptables rules used to manage access to the router, namely the lack of a rule covering external access to the device’s web interface. When the firewall is enabled, access to the interface is not blocked specifically, but all connections that are not covered in the defined rules are dropped.
Longenecker told that he reported the flaw to ASUS on January 20 and received a response from the vendor within 24 hours. By January 25, the company had already sent him a beta version of the firmware designed to patch the bug. Experts have reached out to ASUS for information regarding the general availability of the firmware, but the company has not responded by the time of publication.
Until the update becomes available, users can protect themselves against potential attacks by ensuring that the firewall is enabled. This was not the first time Longenecker reported vulnerabilities to ASUS. The expert identified 5-6 issues over the past years, including a vulnerability in the firmware update process of wireless routers, and said the vendor was very responsive to all his reports.