Asus RT wireless routers have joined the SOHOpeless list – with poor cross-site request forgery protection affecting 30 variants of the devices.
The design blunders, labeled CVE-2017-5891, hit RT-AC and RT-N variants using firmware older than version 3.0.0.4.380.7378.
The lack of CSRF protection means that if the user has left the default credentials – admin:admin – in place, or if an attacker knows the admin password, a malicious webpage can log into the router when visited by the victim. Nightwatch Cybersecurity, which discovered the issue, explained this week that the exploit is trivial: “Submit the base-64 encoded username and password as ‘login_authorization’ form post, to the ‘/login.cgi’ URL of the browser.”
A successful login means an attacker is able to change the router’s settings, and hijack the DNS, for example, but Nightwatch admitted “we have not been able to exploit this issue consistently.” Nightwatch also notes two JSONP bugs, which can reveal potentially sensitive information such as a network map and details about the router.
Asus has addressed the CSRF issues in a March firmware update, but doesn’t consider one of Nightwatch’s non-CSRF issues, CVE 2017-5892, to be serious enough to warrant a fix. Also include in the updated firmware are fixes for:
积极策划开展“安全意识进企业”系列活动
CVE-2017-6547, a cross-site scripting bug in the routers’ HTTP daemon.
CVE-2017-6549, a session hijack vulnerability in the HTTP daemon.
CVE-2017-6548, a remote code execution buffer overflow in the routers’ networkmap command.
网上撒谎可能会导致网络犯罪,在交友、约会或社交网站上撒谎可能会违反网络使用条款,国内也有婚介网站要求全体会员实名制,从侧面反映出社交网络中存在很多的欺骗行为。
Get patching if you haven’t already. ®
Sponsored:
Continuous lifecycle London 2017 event. DevOps, continuous delivery and containerisation. Register now
安全需要多层防御体系,可以再加上传统的帐户和密码验证功能,安全不能全靠某一项控制措施,安全需要完备的系统化管理。

猜您喜欢

北京市网络文化协会发起网络直播行业自律公约
安全意识学习互动游戏
网络信息安全好歌曲
全方位加强学校安全体系建设
1A-FARBBILDER CLUB-AJDATA
借力“软件正版化”强化软件资产及信息安全管理工作