Lucene search

The Hacker NewsTHN:D8D7081B8AAB1CA4AC7EE3D8D752DD1C

HistoryJun 17, 2024 - 2:39 p.m.

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

2024-06-1714:39:00

The Hacker News

thehackernews.com

asus

patches

critical

authentication

bypass

buffer overflow

flaws

router

models

cve-2024-3080

cve-2024-3079

vulnerability

update

security

threat

remote attackers

cvss score

exploit chain.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.3%

JSON

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.

Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.

“Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device,” according to a description of the flaw shared by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC).

Also patched by the Taiwanese company is a high-severity buffer overflow flaw tracked as CVE-2024-3079 (CVSS score: 7.2) that could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device.

In a hypothetical attack scenario, a bad actor could fashion CVE-2024-3080 and CVE-2024-3079 into an exploit chain in order to sidestep authentication and execute malicious code on susceptible devices.

Both the shortcomings impact the following products -

ZenWiFi XT8 version 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
ZenWiFi XT8 version V2 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
RT-AX88U version 3.0.0.4.388_24198 and earlier (Fixed in 3.0.0.4.388_24209)
RT-AX58U version 3.0.0.4.388_23925 and earlier (Fixed in 3.0.0.4.388_24762)
RT-AX57 version 3.0.0.4.386_52294 and earlier (Fixed in 3.0.0.4.386_52303)
RT-AC86U version 3.0.0.4.386_51915 and earlier (Fixed in 3.0.0.4.386_51925)
RT-AC68U version 3.0.0.4.386_51668 and earlier (Fixed in 3.0.0.4.386_51685)

Earlier this January, ASUS patched another critical vulnerability tracked as (CVE-2024-3912, CVSS score: 9.8) that could permit an unauthenticated remote attacker to upload arbitrary files and execute system commands on the device.

Users of affected routers are advised to update to the latest version to secure against potential threats.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for THN:D8D7081B8AAB1CA4AC7EE3D8D752DD1C