Asus RT N12 + B1’s CSV Injection CVE-2024-28328

A vulnerability has been uncovered in the Asus RT N12+ B1 router, specifically related to CSV Injection. This flaw poses a significant threat to device security and the networks it serves. CSV Injection allows attackers to inject malicious commands into CSV files, potentially leading to unauthorized access, data manipulation, or system compromise.

Firmware

Impact of the Vulnerability

  • Attackers can execute arbitrary commands, compromising network integrity. 
  • Attackers may target other network-connected devices, amplifying the damage. 

Timeline

  • Initial Contact: 21/2/2024 – Report submitted to Asus, outlining the vulnerability.  
  • Follow-up Contact 2: 28/02/2024 – First follow-up communication with Asus.  
  • Asus Revert Back: 05/03/2024 – Acknowledgment received from Asus.  Asus has officially declared that the RT-N12+ B1 (RT-N300 B1) router has reached the end of its product life cycle. Consequently, firmware maintenance and updates for this model were discontinued years ago. This cessation of support leaves the device vulnerable to existing security flaws within its firmware. Asus has indicated that a beta version of the router’s firmware is now available for testing. They are seeking user feedback to ascertain if this beta version effectively addresses the identified issue. The beta firmware can be accessed and reviewed via the following link 
  • Follow-up Contact 3: 01/04/2024 – Second follow-up communication with Asus.
  • Follow-up Contact 4: 02/04/2024 – Third follow-up communication with Asus.  
  • Asus Revert Back: 12/04/2024 – Continued follow-up communication with Asus.  Asus has indicated that upon examination, they’ve determined that the firmware size for this model is excessively large, and the product has reached the end of its life cycle, posing challenges for ongoing maintenance. Additionally, they have provided a beta firmware version for the router firmware. They’ve requested feedback on whether the provided firmware effectively addresses the identified issues. You can access the beta firmware file through the following link  
  • Asus Revert Back: 01/04/2024 – Acknowledgment received from Asus.  

Vulnerability Description: CSV Injection in Asus RT N12 + B1 Router

CSV Injection vulnerabilities allow attackers to gain unwarranted access to sensitive information stored within networks. Attackers can compromise the router’s integrity, facilitating unauthorized network access and the execution of arbitrary commands. 

Proof-of-Concept: Exploiting Excel Formulas in Client Name Parameter

Exploiting the CSV Injection vulnerability enables attackers to inject malicious commands into CSV files, compromising network security. This could lead to data breaches, service outages, and regulatory non-compliance issues.

Proof of Attacks
Mitigation

The CSV Injection vulnerability is to validate user input and escape special characters when handling CSV files. If possible upgrade to the latest version.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.

Join us on our journey of growth and development by signing up for our comprehensive courses.