ASUS urges customers to patch critical router vulnerabilities

[MuzzMelbourne]

Content source

https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.

As the company explains, the newly released firmware contains fixes for nine security flaws, including high and critical ones.

The most severe of them are tracked as CVE-2022-26376 and CVE-2018-1160. The first is a critical memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution.

The other critical patch is for an almost five-year-old CVE-2018-1160 bug caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.

ASUS urges customers to patch critical router vulnerabilities

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.

www.bleepingcomputer.com

 

[upnorth]

an almost five-year-old CVE-2018-1160 bug

 

[blackice]

Most of these CVEs have been fixed over the last year. It seems they are more concerned about people running really old firmware missing multiple big fixes. The two highlighted CVEs were fixed last year in Merlin's custom firmware and shortly after by ASUS. Only a handful of these CVEs were in the latest firmware (which is over a month old), and it looks like more of a standard security update. Some of these CVEs only apply to individual router models. It's a weird announcement since there isn't actually any 'new' firmware for most of these devices.