CVE-2021-3128
https://notcve.org/view.php?id=CVE-2021-3128
In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. En ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U y otros enrutadores ASUS con versiones de firmware anteriores a 3.0.0.4.386.42095 o versiones anteriores a 9.0.0.4.386.41994, cuando una IPv6 es usada, puede ocurrir un bucle de enrutamiento que genera un tráfico excesivo de red entre un dispositivo afectado y el enrutador de su ISP aguas arriba. Esto ocurre cuando una ruta de prefijo de enlace apunta a un enlace punto a punto, una dirección IPv6 de destino pertenece al prefijo y no es una dirección IPv6 local, y un anuncio de enrutador es recibido con al menos un prefijo IPv6 único global para el cual el flag on-link se establece • https://www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-AX-XT8-/HelpDesk_BIOS https://www.asus.com/Networking-IoT-Servers/WiFi-6/All-series/RT-AX3000/HelpDesk_BIOS https://www.asus.com/Networking-IoT-Servers/WiFi-6/All-series/RT-AX55/HelpDesk_BIOS https://www.asus.com/Networking-IoT-Servers/WiFi-6/All-series/RT-AX56U/HelpDesk_BIOS https://www.asus.com/Networking-IoT-Servers/WiFi-6/All-series/RT-AX58U/HelpDesk_BIOS https://www. • CWE-834: Excessive Iteration •
CVE-2018-18320
https://notcve.org/view.php?id=CVE-2018-18320
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution ** EN DISPUTA ** Se ha descubierto un problema en la versión 0.6.6 del componente Merlin.PHP para dispositivos Asuswrt-Merlin. Un atacante puede ejecutar comandos arbitrarios debido a que exec.php tiene una llamada popen. NOTA: el fabricante indica que Merlin.PHP está diseñado para ser empleado solamente en una red de intranet fiable y que se permite intencionadamente la ejecución remota de código. • http://blog.51cto.com/010bjsoft/2298828 https://github.com/qoli/Merlin.PHP/issues/26 •
CVE-2018-18319
https://notcve.org/view.php?id=CVE-2018-18319
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution ** EN DISPUTA ** Se ha descubierto un problema en la versión 0.6.6 del componente Merlin.PHP para dispositivos Asuswrt-Merlin. Un atacante puede ejecutar comandos arbitrarios debido a que api.php tiene una llamada eval, tal y como queda demostrado con el URI /6/api.php? • http://blog.51cto.com/010bjsoft/2298902 https://github.com/qoli/Merlin.PHP/issues/27 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-8826
https://notcve.org/view.php?id=CVE-2018-8826
ASUS RT-AC51U, RT-AC58U, RT-AC66U, RT-AC1750, RT-ACRH13, and RT-N12 D1 routers with firmware before 3.0.0.4.380.8228; RT-AC52U B1, RT-AC1200 and RT-N600 routers with firmware before 3.0.0.4.380.10446; RT-AC55U and RT-AC55UHP routers with firmware before 3.0.0.4.382.50276; RT-AC86U and RT-AC2900 routers with firmware before 3.0.0.4.384.20648; and possibly other RT-series routers allow remote attackers to execute arbitrary code via unspecified vectors. Los routers ASUS RT-AC51U, RT-AC58U, RT-AC66U, RT-AC1750, RT-ACRH13 y RT-N12 D1 con firmware anterior a 3.0.0.4.380.8228; los routers RT-AC52U B1, RT-AC1200 y RT-N600 con firmware anterior a 3.0.0.4.380.10446; los routers RT-AC55U y RT-AC55UHP con firmware anterior a 3.0.0.4.382.50276; los routers RT-AC86U y RT-AC2900 con firmware anterior a 3.0.0.4.384.20648; y posiblemente otros routers de la serie RT, permiten que atacantes remotos ejecuten código arbitrario mediante vectores sin especificar. • https://www.asus.com/Networking/RT-AC2900/HelpDesk_BIOS https://www.asus.com/Networking/RT-AC52U-B1/HelpDesk_BIOS https://www.asus.com/ca-en/Networking/RT-N600/HelpDesk_Download https://www.asus.com/sg/Networking/RT-AC58U/HelpDesk_BIOS https://www.asus.com/us/Networking/RT-AC1200/HelpDesk_BIOS https://www.asus.com/us/Networking/RT-AC1750/HelpDesk_BIOS https://www.asus.com/us/Networking/RT-AC86U/HelpDesk_BIOS https://www.asus.com/us/Networking/RT-ACRH13/HelpDesk_BIOS • CWE-20: Improper Input Validation •