ASUS RT-AC86U - Improper Input Validation

Vulnerability

The ASUS RT-AC86U router firmware version 3.0.0.4.386.45956 contains an improper input validation vulnerability in handling user requests. An unauthenticated attacker on the local network can send a particular request that triggers a server-to-client reply attempt which leads to a denial of service. The issue is fixed in firmware version 3.0.0.4_386_46092. [1]

Exploitation

An attacker must be on the same LAN as the affected router. No authentication is required. The attacker establishes a connection with the router and sends a specific crafted message. Due to improper handling, the router attempts to reply but fails, causing a service interruption. No user interaction is needed. [1]

Impact

Successful exploitation results in a denial of service (DoS) condition, rendering the router unavailable. The CVSS score is 6.5 (Medium) with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact but no confidentiality or integrity impact. [1]

Mitigation

The vendor has released a fix in firmware version 3.0.0.4_386_46092. Users should update their ASUS RT-AC86U firmware to this version or later. No workarounds are mentioned in the reference. The issue was publicly disclosed on 2022-03-07. [1]