华硕修补了多个路由器型号中的关键身份验证绕过漏洞

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.

华硕已经发布了软件更新，以解决影响其路由器的关键安全漏洞，该漏洞可能被恶意行为者利用来绕过身份验证。

Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.

这个漏洞被跟踪为CVE-2024-3080，其CVSS评分为10.0中的9.8。

"Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device," according to a description of the flaw shared by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC).

根据台湾计算机应急响应队伍（TWCERT/CC）分享的漏洞描述，“某些华硕路由器型号存在身份验证绕过漏洞，允许未经身份验证的远程攻击者登录设备”。

Also patched by the Taiwanese company is a high-severity buffer overflow flaw tracked as CVE-2024-3079 (CVSS score: 7.2) that could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device.

这家台湾公司还修复了一项高危缓冲区溢出漏洞，该漏洞被跟踪为CVE-2024-3079（CVSS评分为7.2），远程攻击者可以利用具有管理员权限的漏洞在设备上执行任意命令。

In a hypothetical attack scenario, a bad actor could fashion CVE-2024-3080 and CVE-2024-3079 into an exploit chain in order to sidestep authentication and execute malicious code on susceptible devices.

在一种假设的攻击场景中，恶意行为者可以将CVE-2024-3080和CVE-2024-3079制作成一个利用链，以规避身份验证并在易受攻击的设备上执行恶意代码。

Both the shortcomings impact the following products -

两种缺点都会影响以下产品——

• ZenWiFi XT8 version 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)

• ZenWiFi XT8 version V2 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)

• RT-AX88U version 3.0.0.4.388_24198 and earlier (Fixed in 3.0.0.4.388_24209)

• RT-AX58U version 3.0.0.4.388_23925 and earlier (Fixed in 3.0.0.4.388_24762)

• RT-AX57 version 3.0.0.4.386_52294 and earlier (Fixed in 3.0.0.4.386_52303)

• RT-AC86U version 3.0.0.4.386_51915 and earlier (Fixed in 3.0.0.4.386_51925)

• RT-AC68U version 3.0.0.4.386_51668 and earlier (Fixed in 3.0.0.4.386_51685)

Earlier this January, ASUS patched another critical vulnerability tracked as (CVE-2024-3912, CVSS score: 9.8) that could permit an unauthenticated remote attacker to upload arbitrary files and execute system commands on the device.

今年1月，华硕修复了另一个关键漏洞，被跟踪为（CVE-2024-3912，CVSS评分为9.8），该漏洞可允许未经身份验证的远程攻击者上传任意文件并在设备上执行系统命令。

Users of affected routers are advised to update to the latest version to secure against potential threats.

建议受影响路由器的用户更新到最新版本以防范潜在威胁。

参考资料

[1]https://thehackernews.com/2024/06/asus-patches-critical-authentication.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：华硕修补了多个路由器型号中的关键身份验证绕过漏洞