ASUS RT-AX56U - Path Traversal

Vulnerability

The vulnerability exists in the update_json function of ASUS RT-AX56U firmware versions prior to 3.0.0.4.386.45934. The function does not sufficiently filter special characters in a URL parameter, leading to a path traversal condition [1]. The affected product is ASUS RT-AX56U firmware version 3.0.0.4.386.45898 [1]. The attacker can upload a crafted JSON file, which may overwrite a system file with the same file name [1].

Exploitation

An unauthenticated attacker on the same LAN can exploit this vulnerability without any authentication required [1]. The attacker must be able to reach the update_json endpoint and supply a URL parameter containing path traversal sequences (e.g., ../). The concrete sequence involves uploading a specially crafted JSON file that, due to the insufficient path sanitization, is written to an arbitrary system directory [1]. No user interaction is needed [1].

Impact

Successful exploitation allows an attacker to overwrite an arbitrary system file, which can lead to service disruption [1]. The CVSS vector indicates high impact to integrity and availability, but no direct impact to confidentiality (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) [1]. The attacker gains the ability to disrupt router services, potentially making the device unstable or inoperable [1].

Mitigation

The vulnerability is fixed in firmware version 3.0.0.4.386.45934, released on an undisclosed date before the publication of this CVE [1]. Users should update their ASUS RT-AX56U router to this firmware version or later [1]. No workarounds are mentioned in the reference [1].