A vulnerability affecting a number of ASUS small office/home office routers was recently discovered and made public by Joshua J. Drake, who posted it on his twitter earlier this week. It allows an attacker to, among other things, re-route traffic to malicious sites, or act as a Man-in-the-Middle.
The vulnerability (CVE-2014-9583) allows a malicious person within the local network to execute root commands. The bug is found within the infosrv service that runs as root and listens on port 9999. “It’s used by one of ASUS’s tools to ease router configuration by automatically locating routers on the local subnet. This service runs with root privileges and contains an unauthenticated command execution vulnerability,” says Drake.
Among the affected router models are the popular RT-AC66U, RT-N66U, and others. All versions of their firmware are currently assumed vulnerable. Drake recommends to “remove the remote command execution functionality from this service. Even if it were guarded with strong authentication, broadcasting a password to the entire LAN isn’t really something to be desired.”
Suggested workarounds include:
- David Longenecker recommends using a script to kill the infosvr on boot
- Eric Sauvageau recommends Firewalling port 9999 off
- Ironically, using an exploit to kill the service after boot works also
If you are a network administrator and these routers are a part of your network, make sure you use on of the workarounds to protect your network because an exploit has already been released for this vulnerability.