CVE Number – CVE-2017-12754
A vulnerability in the httpd daemon in Asuswrt-Merlin firmware used by multiple Asus routers could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to improper processing of crafted HTTP GET request packets that is performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP GET request that contains a long delete_offline_client parameter to a targeted system. An exploit could trigger a stack-based buffer overflow condition which the attacker could use to execute arbitrary code on the system.
Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.
Asus has confirmed the vulnerability and released software updates.
To exploit this vulnerability, an attacker must authenticate to the deleteOfflineClient.cgi page of a targeted system. This access requirement may reduce the likelihood of a successful exploit.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to allow only privileged users to access administration or management systems.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.
Asus has released a changelog at the following link: Changelog 380.xx – 380.68_2 (12-Sept-2017)
Asus has released software updates at the following link: Asuswrt-Merlin firmware verison 380.68_2 or later
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.