Session Token Predictability in Asus Router Firmware
CVE-2017-15654

8.3HIGH

Key Information:

Vendor: Asus
Status: Asuswrt
Vendor: CVE Published:; 31 January 2018

What is CVE-2017-15654?

The vulnerability allows attackers to exploit predictably generated session tokens in the HTTPd server of Asus routers running the AsusWRT firmware. This predictability can lead to unauthorized access to the administrative interface of the router, granting attackers the ability to change settings, intercept network traffic, and potentially compromise the network. All current versions of AsusWRT, including those up to 3.0.0.4.380.7743, are impacted by this issue.

References

http://seclists.org/fulldisclosure/2018/Jan/63

mailing-listx_refsource_FULLDISC

http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 31, 2018
Vulnerability Reserved
Oct 19, 2017