CVE-2018-6000 in AsusWRT
Summary
by MITRE
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/03/2024
The vulnerability identified as CVE-2018-6000 represents a critical authentication bypass flaw affecting various Asus router models running firmware versions prior to 3.0.0.4.384_10007. This issue resides within the vpnupload.cgi component of the AsusWRT firmware, specifically in the do_vpnupload_post function located in router/httpd/web.c. The flaw stems from improper input validation and access control mechanisms that allow unauthenticated attackers to manipulate NVRAM configuration values through a specially crafted HTTP request. Security researchers have noted that this vulnerability operates in conjunction with CVE-2018-5999, creating a chained attack vector that significantly amplifies the threat landscape for affected devices.
The technical implementation of this vulnerability exploits a design flaw in the web server component of the router firmware where the do_vpnupload_post function fails to properly validate incoming requests before executing configuration changes. When an attacker sends a malformed request to the vpnupload.cgi endpoint, the function processes the input without adequate authentication checks or parameter sanitization. This allows arbitrary NVRAM value modifications, specifically enabling attackers to change the administrator password and activate SSH daemon services or infosvr command mode. The vulnerability's severity is compounded by the fact that it requires no prior authentication credentials, making it particularly dangerous as it can be exploited by anyone with network access to the affected device. The attack vector demonstrates characteristics consistent with CWE-285: Improper Authorization, where the system fails to properly enforce access controls for privileged operations.
The operational impact of CVE-2018-6000 extends far beyond simple unauthorized access, as it provides attackers with complete administrative control over affected routers. Once exploited, adversaries can establish persistent backdoors through SSH access, potentially enabling them to monitor network traffic, redirect DNS requests, modify firewall rules, or deploy additional malware. The vulnerability affects numerous Asus router models including but not limited to those in the RT-AC series, which are widely deployed in both residential and small business environments. Network administrators face significant challenges in identifying compromised devices, as the attack leaves minimal forensic traces and can be executed silently in the background. The combination with CVE-2018-5999 creates a particularly dangerous scenario where attackers can first gain initial access through one vulnerability and then escalate privileges using the second, resulting in full system compromise. This vulnerability aligns with ATT&CK technique T1078: Valid Accounts, as it allows adversaries to establish persistent access through legitimate administrative accounts that are modified by the exploit.
Mitigation strategies for CVE-2018-6000 primarily focus on firmware updates and network segmentation measures. Device owners must immediately upgrade to AsusWRT firmware version 3.0.0.4.384_10007 or later, which includes patches addressing the authentication bypass vulnerability. Network administrators should also implement strict firewall rules to restrict access to the vpnupload.cgi endpoint and other potentially vulnerable web interfaces. Additional protective measures include disabling unnecessary services such as SSH when not required, implementing strong network access controls, and conducting regular vulnerability assessments of networked devices. The vulnerability serves as a reminder of the critical importance of maintaining current firmware versions and following security best practices for network infrastructure devices. Organizations should also consider implementing network monitoring solutions that can detect unusual SSH connections or configuration changes that might indicate exploitation attempts. Given the widespread deployment of affected Asus routers, security professionals recommend immediate action to patch all identified vulnerable devices and establish monitoring procedures to detect potential exploitation attempts in the network perimeter.