Trustwave SpiderLabs Security Advisory TWSL2020-004:
Multiple Vulnerabilities in ASUS RT-AC1900P router

Published: 07/10/20
Version: 1.0

Vendor:  AsusTek Computer Inc. (www.asus.com)
Product: ASUS RT-AC1900P router
Version affected: 3.0.0.4.385_10000-gd8ccd3c

Product description:
Dual Band Gigabit Wireless AC Router with AiMesh Support.

Finding 1: Firmware update accepts forged server certificates.
Credit: Martin Rakhmanov of Trustwave
CVE: CVE-2020-15498

The router accepts forged server certificates for the firmware update. As a
result, MITM attack is trivial when the device is connected to a malicious
network. The culprit is the --no-check-certificate option passed to wget tool
used to download firmware update files on the router.

Finding 2: Firmware release notes dialog in the router management web interface is susceptible to cross site scripting.
Credit: Martin Rakhmanov of Trustwave
CVE: CVE-2020-15499

Given that the device accepts forged certificates, an attacker can trick the
router to display a message that a new firmware is available when the admin user
open the Firmware Upgrade page. Furthermore, an attacker can then craft
malicious file containing release notes for the "new" firmware that will contain
arbitrary javascript. Due to cross site scripting the malicious javascript will 
be executed when an unsuspecting admin user clicks the release notes link on the 
Firmware Upgrade page.


Example contents for the malicious release notes file:

</textarea>
  
<script>alert(document.cookie);</script>

<textarea>

Remediation Steps:
Upgrade the firmware to version 3.0.0.4.385_20253 or the latest stable release.

Revision History:
12/17/2019 - Vulnerability disclosed to vendor
03/10/2020 - Patch released by vendor without notification
04/06/2020 - Researcher discovered a new ASUS patch
05/14/2020 - Vendor could not confirm whether the patch fixes both issues
06/08/2020 - Researcher confirms that patch fixes both issues
07/22/2020 - Advisory published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.