Correction: I meant to say 2013, not 2012. I apologize for the error. On Wed, Feb 12, 2014 at 4:29 PM, kyle Lovett <krlovett@xxxxxxxxx> wrote: > Five ASUS RT series routers suffer from a vendor vulnerability that > default FTP service to anonymous access, full read/write permissions. > The service, which is activated from the administrative console does > not give proper instructions nor indications that the end user needs > to manually add a user to the FTP access table. > > The vendor was first alerted to this issue in late June of 2012, and > then four other times officially from July 2012 to December 2012. It > was not until January of this year, when the editors for the Norwegian > publication IDG/PC World went to ASUS that any official response came. > > This vulnerability has been exploited aggressively for sometime now, > and as a rolling count which has been kept ongoing since July 2012, > over 30,000 unique IP address, at one time or another have had their > FTP service shared. > > The FTP services, when not secured, allows for full read/write access > to any external storage devices attached to the usb drives on the > router. > > The vendor has issued an official (beta) patch for the RT-AC68U as of > mid-January, and plans on additional patches in the coming week. > > Models Include: > > RT-AC68U > RT-AC56U > RT-AC66U > RT-N66U > RT-N16 > > CWE-287: Improper Authentication > CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) > > CVSS Base Score 9.4 > Impact Subscore 9.2 > Exploitability Subscore 10 > CVSS Temporal Score 8.2 > Overall CVSS Score 8.2 > > Many have reported malware being uploaded into the sync share folders, > large amounts of unauthorized file sharing and most importantly the > theft of entire hard drives of personal information. Over 7,300 units > are still vulnerable to this weakness as of today. > > It is strongly urged that those with any of the above routers check to > ensure that their FTP service has been secured. > > Links: > https://www.asus.com/Networking/RTAC68U/#support > http://www.idg.no/pcworld/article281004.ece > http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html > http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html > > Research Contact - Kyle Lovett > Discovered - June, 2012
