CVE-2017-15655

moderate-risk
Published 2018-01-31

Multiple buffer overflow vulnerabilities exist in the HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest and thus are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits several pages.

Do I need to act?

~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Asus

References (6)

Third Party Advisory http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hi...
Exploit http://seclists.org/fulldisclosure/2018/Jan/63
Exploit http://sploit.tech/2018/01/16/ASUS-part-I.html
Third Party Advisory http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hi...
Exploit http://seclists.org/fulldisclosure/2018/Jan/63
Exploit http://sploit.tech/2018/01/16/ASUS-part-I.html
41
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal