Potential security issue in ASUS router default configurations

Number: AV14-016
Date: 27 March 2014

Purpose

The purpose of this advisory is to bring attention to the default configuration of specific ASUS routers which is to allow full unauthenticated access to attached storage devices on all interfaces including WAN (Internet).

Assessment

CCIRC is aware of remote users implanting files on attached storages devices on users' routers. The default configuration allows anyone on the internet to access these connected devices without having to provide a username and password.

Affected models: RT-N66U, RT-N66R and RT-N66W.

Suggested action

Careful consideration should be taken if you're opting to share files on the internet. Misconfiguration of file sharing can result in some or all of your computers files to be openly accessible and potentially used for malicious purposes.

CCIRC recommends that users wishing to share files should enable appropriate security configuration options. If users are unaware of the configuration or do not wish to share files from attached devices such as USB thumb drives etc., we recommend they apply the manufactures firmware update on the affected routers. If you have already attached a device to your router in this manner and have not explicitly enabled security, CCIRC highly recommends that you remove the device from the router and scan it for security issues using up-to-date anti-virus on your personal computer.

References

ASUS releases updates:
http://news.softpedia.com/news/ASUS-Fixes-Vulnerabilities-in-RT-N66U-RT-N66R-and-RT-N66W-Routers-426689.shtml

Firmware updates for affected routers:
http://drivers.softpedia.com/downloadTag/RT-N66+Firmware+3.0.0.4.374.4422
http://support.asus.com/download/options.aspx?SLanguage=en&type=3

Risks of downloading and file sharing:
http://www.getcybersafe.gc.ca/cnt/rsks/nln-ctvts/dlng-shrng-eng.aspx

Router Security Configuration Guide
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: