CVE-2021-45756

Vulnerability

A buffer overflow vulnerability exists in the blocking_request.cgi component of ASUS RT-AC68U firmware versions prior to 3.0.0.4.385.20633 and RT-AC5300 firmware versions prior to 3.0.0.4.384.82072. The flaw allows an attacker to corrupt memory by sending specially crafted input to the CGI script, enabling overwriting of adjacent memory regions. The vulnerability is present in the handling of network requests processed by the web interface.

Exploitation

The attacker must be able to send network requests to the affected router's web interface on the management port (typically TCP 80 or 443). No authentication is required. By crafting a malicious HTTP request to blocking_request.cgi with a payload that exceeds the buffer capacity, the attacker can trigger the overflow. The exact sequence of steps involves sending a request where an input parameter or data field is larger than expected, causing the program to write beyond the allocated buffer.

Impact

Successful exploitation can lead to arbitrary code execution on the device, with the privileges of the web server process (typically root). This compromise would give the attacker full control over the router, enabling activities such as intercepting network traffic, modifying DNS settings, installing malware, or pivoting to internal network hosts.

Mitigation

ASUS has released firmware updates addressing the vulnerability: version 3.0.0.4.385.20633 for RT-AC68U and version 3.0.0.4.384.82072 for RT-AC5300. Users should update to these or later versions. No known workarounds are available, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Users with EOL devices should consider replacement.

[1]