CVE-2017-14699:XML External Entity (XXE) vulnerabilities in ASUS DSL router AiCloud feature allow authenticated users to read arbitrary files.

splash
Back

Description Preview

Multiple XML External Entity (XXE) vulnerabilities have been identified in the AiCloud feature across various ASUS DSL router models. These vulnerabilities allow remote authenticated users to read arbitrary files on the affected devices by sending crafted Document Type Definition (DTD) content in either UPDATEACCOUNT or PROPFIND requests. The vulnerability is classified as CWE-611 (XXE) and affects numerous router models in the DSL series including DSL-AC51, DSL-AC52U, DSL-AC55U, and others. This security flaw could potentially lead to sensitive information disclosure and unauthorized access to files stored on the router.

Overview

The XXE vulnerabilities in ASUS DSL routers' AiCloud feature present a significant security risk as they allow authenticated attackers to access files that should be restricted. When exploited, an attacker can craft special XML requests containing malicious DTD definitions that instruct the XML parser to access local files on the router's file system. This can lead to the disclosure of sensitive configuration files, credentials, or other critical information stored on the device.

The vulnerability specifically affects the processing of XML data in two different request types:

  1. UPDATEACCOUNT requests in the AiCloud feature
  2. PROPFIND requests in the AiCloud feature

Both vulnerabilities require authentication to exploit, which somewhat limits the attack surface, but still represents a serious security concern for deployed devices.

Remediation

To address these vulnerabilities, users should take the following actions:

  1. Update router firmware immediately to the latest version provided by ASUS. The manufacturer has released patches to address these vulnerabilities.

  2. Visit the ASUS support website (specifically the HelpDesk_BIOS section for your router model) to download and install the latest firmware.

  3. If updates are not immediately available for your specific model, consider implementing these temporary mitigations:

    • Disable the AiCloud feature if not actively used
    • Ensure strong authentication credentials are set for router access
    • Limit administrative access to trusted IP addresses only
    • Monitor router logs for suspicious activities

  4. After updating, verify that the update was successful by checking the current firmware version in the router's administration interface.

References

  1. ASUS DSL-N14U-B1 firmware updates and advisories: https://www.asus.com/Networking/DSL-N14U-B1/HelpDesk_BIOS/

  2. Security Artwork vulnerability analysis (Note: This link may no longer be active): https://www.securityartwork.es/2018/01/25/some-vulnerability-in-asus-routers/

  3. CWE-611: Improper Restriction of XML External Entity Reference: https://cwe.mitre.org/data/definitions/611.html

  4. ASUS Support Center for checking firmware updates for all affected models: https://www.asus.com/support/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background