ASUS RT-AX55 - command injection - 4

Vulnerability

ASUS RT-AX55 router firmware version 3.0.0.4.51598 has a command injection vulnerability in its authentication-related code-authentication module. The module fails to properly filter special characters in user-supplied parameters. This affects the confirm-verification-code functionality, enabling injection of arbitrary operating system commands. The vulnerability is present in firmware 3.0.0.4.51598 and earlier versions [1].

Exploitation

An attacker must have network access to the router and valid authentication credentials (e.g., administrator password). No user interaction is required beyond authentication. The attacker sends a specially crafted request to the authentication verification endpoint, injecting shell metacharacters into the parameter that is not sanitized. The injected commands are then executed by the underlying system [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the affected router with root privileges. This can lead to full compromise of confidentiality, integrity, and availability: the attacker can read sensitive data, modify device configuration, install persistent backdoors, disrupt networking services, or completely terminate system operation [1].

Mitigation

The vendor released a fixed firmware version 3.0.0.4.386_51948 on 2023-11-03 to address this vulnerability. Users should update their RT-AX55 routers to this version or later through the device's administration interface. No workaround is available for older firmware [1].