Five ASUS RT series routers suffer from a vendor vulnerability that default FTP service to anonymous access, full read/write permissions. The service, which is activated from the administrative console does not give proper instructions nor indications that the end user needs to manually add a user to the FTP access table. The vendor was first alerted to this issue in late June of 2012, and then four other times officially from July 2012 to December 2012. It was not until January of this year, when the editors for the Norwegian publication IDG/PC World went to ASUS that any official response came. This vulnerability has been exploited aggressively for sometime now, and as a rolling count which has been kept ongoing since July 2012, over 30,000 unique IP address, at one time or another have had their FTP service shared. The FTP services, when not secured, allows for full read/write access to any external storage devices attached to the usb drives on the router. The vendor has issued an official (beta) patch for the RT-AC68U as of mid-January, and plans on additional patches in the coming week. Models Include: RT-AC68U RT-AC56U RT-AC66U RT-N66U RT-N16 CWE-287: Improper Authentication CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) CVSS Base Score 9.4 Impact Subscore 9.2 Exploitability Subscore 10 CVSS Temporal Score 8.2 Overall CVSS Score 8.2 Many have reported malware being uploaded into the sync share folders, large amounts of unauthorized file sharing and most importantly the theft of entire hard drives of personal information. Over 7,300 units are still vulnerable to this weakness as of today. It is strongly urged that those with any of the above routers check to ensure that their FTP service has been secured. Links: https://www.asus.com/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle Lovett Discovered - June, 2012