CVE-2017-11420

Q: What is the severity of CVE-2017-11420?

CVE-2017-11420 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical stack-based buffer overflow vulnerability in the networkmap component of ASUS router firmware. Remote attackers can execute arbitrary code by sending specially crafted device information that triggers the overflow during string concatenation. This affects numerous ASUS router models running vulnerable firmware versions.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a critical stack-based buffer overflow vulnerability in the networkmap component of ASUS router firmware. Remote attackers can execute arbitrary code by sending specially crafted device information that triggers the overflow during string concatenation. This affects numerous ASUS router models running vulnerable firmware versions.

💻 Affected Systems

Products:

ASUS RT-AC5300
RT_AC1900P
RT-AC68U
RT-AC68P
RT-AC88U
RT-AC66U
RT-AC66U_B1
RT-AC58U
RT-AC56U
RT-AC55U
RT-AC52U
RT-AC51U
RT-N18U
RT-N66U
RT-N56U
RT-AC3200
RT-AC3100
RT_AC1200GU
RT_AC1200G
RT-AC1200
RT-AC53
RT-N12HP
RT-N12HP_B1
RT-N12D1
RT-N12+
RT_N12+_PRO
RT-N16
RT-N300

Versions: Vulnerable firmware versions prior to patches released in July 2017

Operating Systems: Asuswrt-Merlin firmware, ASUS stock firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both stock ASUS firmware and Asuswrt-Merlin custom firmware. The networkmap service is typically enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the router, enabling traffic interception, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to router compromise, allowing attackers to modify DNS settings, intercept traffic, or join the device to a botnet.

🟢

If Mitigated

If patched or properly segmented, impact is limited to denial of service or local network compromise rather than internet-facing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details were publicly disclosed in July 2017. The vulnerability is remotely exploitable without authentication and has a straightforward exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions released after July 2017

Vendor Advisory: https://asuswrt.lostrealm.ca/changelog

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Administration > Firmware Upgrade. 3. Download latest firmware from ASUS support site. 4. Upload and install firmware. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable networkmap service

linux

Temporarily disable the vulnerable networkmap service to prevent exploitation

telnet into router and run: service stop_networkmap
Or via SSH: killall networkmap

Block external access to router admin interface

all

Configure firewall to block WAN access to router management ports

In router admin: Firewall > Enable DoS protection
Firewall > Enable SPI firewall
Administration > System > Enable Web Access from WAN: No

🧯 If You Can't Patch

Segment routers on isolated network VLAN
Implement strict network ACLs to limit router access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Administration > Firmware Upgrade. Compare against patched versions from July 2017 onward.

Check Version:

In router admin interface or via SSH: nvram get buildno

Verify Fix Applied:

Verify firmware version is newer than vulnerable versions. Test by attempting to trigger the overflow with proof-of-concept code (in controlled environment).

📡 Detection & Monitoring

Log Indicators:

Unusual networkmap process crashes
Large device information strings in network logs
Unexpected process spawns from networkmap

Network Indicators:

Unusual traffic to router management ports (typically 80, 443, 8080)
Large UDP/TCP packets to router on network discovery ports

SIEM Query:

source="router.log" AND ("networkmap" OR "ASUS_Discovery") AND ("crash" OR "buffer" OR "overflow")

📊 Metadata

CVE ID: CVE-2017-11420

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: July 18, 2017

Last Updated: April 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2017/07/13/1 Exploit,Mailing List,Third Party Advisory
https://asuswrt.lostrealm.ca/changelog
http://www.openwall.com/lists/oss-security/2017/07/13/1 Exploit,Mailing List,Third Party Advisory
https://asuswrt.lostrealm.ca/changelog

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rt Ac1200 Firmware by Asuswrt Merlin Project

Rt Ac1200g Firmware by Asuswrt Merlin Project

Rt Ac1200gu Firmware by Asuswrt Merlin Project

Rt Ac1900p Firmware by Asuswrt Merlin Project

Rt Ac3100 Firmware by Asuswrt Merlin Project

Rt Ac3200 Firmware by Asuswrt Merlin Project

Rt Ac51u Firmware by Asuswrt Merlin Project

Rt Ac52u Firmware by Asuswrt Merlin Project

Rt Ac53 Firmware by Asuswrt Merlin Project

Rt Ac5300 Firmware by Asuswrt Merlin Project

Rt Ac55u Firmware by Asuswrt Merlin Project

Rt Ac56u Firmware by Asuswrt Merlin Project

Rt Ac58u Firmware by Asuswrt Merlin Project

Rt Ac66u B1 Firmware by Asuswrt Merlin Project

Rt Ac66u Firmware by Asuswrt Merlin Project

Rt Ac68p Firmware by Asuswrt Merlin Project

Rt Ac68u Firmware by Asuswrt Merlin Project

Rt Ac88u Firmware by Asuswrt Merlin Project

Rt N12\+ Firmware by Asuswrt Merlin Project

Rt N12\+ Pro Firmware by Asuswrt Merlin Project

Rt N12d1 Firmware by Asuswrt Merlin Project

Rt N12hp B1 Firmware by Asuswrt Merlin Project

Rt N12hp Firmware by Asuswrt Merlin Project

Rt N16 Firmware by Asuswrt Merlin Project

Rt N18u Firmware by Asuswrt Merlin Project

Rt N300 Firmware by Asuswrt Merlin Project

Rt N56u Firmware by Asuswrt Merlin Project

Rt N66u Firmware by Asuswrt Merlin Project