CVE: CVE-2018-20333

Tested Versions: ASUSWRT 3.0.0.4.384.20308 (2018/02/01)

Product URL(s): https://www.asus.com/us/ASUSWRT/

ASUSWRT is the firmware that is shipped with modern ASUS routers. ASUSWRT has a web-based interface, so it doesn’t need a separate app, or restrict what you can change via mobile devices – you get full access to everything, from any device that can run a web browser.

Vulnerability

An unauthenticated user can request the http://<ROUTERIP>/update_applist.asp to see if a USB device is attached to the router and if there are apps installed on the router. Although getting to know if a USB storage is attached to the device does seems not a vulnerability, this will let the attacker knows more about the router.

The information can be seen when you view the source for the update_applist.asp page:

Timeline

2018-12-14 Vendor disclosure

Vendor Response

The vendor has acknowledged the issue and issued a firmware update to correct it.

Vulnerability#

Timeline#

Vendor Response#

Vulnerability

Timeline

Vendor Response