#VU6514 Session hijacking in Asus products - CVE-2017-6549
Published: May 11, 2017 / Updated: May 12, 2017
Vulnerability identifier: #VU6514
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2017-6549
CWE-ID: CWE-592
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
RT-AC53
RT-N600
RT-N300
RT-N66W
RT-N66U
RT-N66R
RT-N56U
RT-N16
RT-N12E
RT-N12+
RT-N12
RT-N11P
RT-AC5300
RT-AC3200
RT-AC3100
RT-AC1750
RT-AC1200
RT-AC88U
RT-AC87U
RT-AC87R
RT-AC68R
RT-AC68P
RT-AC68W
RT-AC66W
RT-AC68UF
RT-AC68U
RT-AC66U
RT-AC56U
RT-AC56S
RT-AC56R
RT-AC55U
RT-AC52U B1
RT-AC51U
RT-AC53
RT-N600
RT-N300
RT-N66W
RT-N66U
RT-N66R
RT-N56U
RT-N16
RT-N12E
RT-N12+
RT-N12
RT-N11P
RT-AC5300
RT-AC3200
RT-AC3100
RT-AC1750
RT-AC1200
RT-AC88U
RT-AC87U
RT-AC87R
RT-AC68R
RT-AC68P
RT-AC68W
RT-AC66W
RT-AC68UF
RT-AC68U
RT-AC66U
RT-AC56U
RT-AC56S
RT-AC56R
RT-AC55U
RT-AC52U B1
RT-AC51U
Software vendor:
Asus
Asus
Description
The vulnerability allows a remote unauthenticated user to hijack any active admin session.
The weakness exists due to improper input validation. A remote attacker can send cgi_logout and asusrouter-Windows-IFTTT-1.0 in certain HTTP headers and gain the session cookies to hijack the valid user's session.
Successful exploitation of the vulnerability leads to session steal.
Remediation
Install update from vendor's website.