Advisories

ASUSWRT Information Disclosure on update_applist.asp

CVE ID

CVE-2018-20333

Tested Versions

  • ASUSWRT 3.0.0.4.384.20308 (2018/02/01)

Product URL(s)

  • https://www.asus.com/us/ASUSWRT/

ASUSWRT is the firmware that is shipped with modern ASUS routers. ASUSWRT has a web-based interface, so it doesn’t need a separate app, or restrict what you can change via mobile devices – you get full access to everything, from any device that can run a web browser.

Vulnerability

An unauthenticated user can request the http://<ROUTERIP>/update_applist.asp to see if a USB device is attached to the router and if there are apps installed on the router. Although getting to know if a USB storage is attached to the device does seems not a vulnerability, this will let the attacker knows more about the router.

The information can be seen when you view the source for the update_applist.asp page:

Vendor Response

The vendor has acknowledged the issue and issued a firmware update to correct it.

Timeline

  • 2019-02-19 Vendor disclosure
  • 2019-02-25 Vendor acknowledged and patched

Credit

Discovered by CodeBreaker of STAR Labs

Want to participate in such cutting-edge research?

We are hiring!

Find Out More