CVE-2021-44158 – ASUS RT-AX56U Wi-Fi routers have a stack-based ... (How to Fix)

Q: What is the severity of CVE-2021-44158?

CVE-2021-44158 has a CVSS score of 8.0 (HIGH). ASUS RT-AX56U Wi-Fi routers have a stack-based buffer overflow vulnerability in their httpd service. An authenticated attacker on the local network can exploit this to execute arbitrary code, potentially taking full control of the router or disrupting its service. Only users of this specific router model are affected.

📋 TL;DR

ASUS RT-AX56U Wi-Fi routers have a stack-based buffer overflow vulnerability in their httpd service. An authenticated attacker on the local network can exploit this to execute arbitrary code, potentially taking full control of the router or disrupting its service. Only users of this specific router model are affected.

💻 Affected Systems

Products:

ASUS RT-AX56U Wi-Fi Router

Versions: Firmware versions prior to 3.0.0.4.386.45956

Operating Systems: Embedded Linux (ASUSWRT)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have LAN access and valid authentication credentials to the router's web interface.

📦 What is this software?

Rt Ax56u Firmware by Asus

View all CVEs affecting Rt Ax56u Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attacker to intercept all network traffic, install persistent malware, or use the router as a pivot point into the internal network.

🟠

Likely Case

Router becomes unresponsive requiring physical reset, or attacker gains limited control to modify DNS settings or capture credentials.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the router itself without lateral movement to other devices.

🌐 Internet-Facing: LOW (requires local network access, not directly exploitable from internet)

🏢 Internal Only: HIGH (any authenticated user on the local network can potentially exploit this vulnerability)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authentication but buffer overflow techniques for embedded devices are well understood. The vulnerability is in parameter handling of the httpd service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0.4.386.45956 or later

Vendor Advisory: https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX56U/HelpDesk_BIOS/

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Click 'Check' for updates or manually upload firmware. 4. Download firmware version 3.0.0.4.386.45956 or later from ASUS support site. 5. Upload and apply the firmware update. 6. Router will reboot automatically.

🔧 Temporary Workarounds

Restrict LAN Access

linux

Limit which devices can access the router's administration interface

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.100 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.100 -j DROP

Disable Remote Administration

all

Ensure router web interface is only accessible from LAN

🧯 If You Can't Patch

Segment the router on isolated VLAN to limit attack surface
Implement strict access controls allowing only trusted devices to communicate with router management interface

🔍 How to Verify

Check if Vulnerable:

Log into router web interface, navigate to Administration > Firmware Upgrade, check current firmware version. If version is below 3.0.0.4.386.45956, device is vulnerable.

Check Version:

curl -s http://router.asus.com/ | grep -i firmware || ssh admin@router 'nvram get buildno'

Verify Fix Applied:

After updating, verify firmware version shows 3.0.0.4.386.45956 or higher in Administration > Firmware Upgrade page.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login
Unusual httpd process crashes or restarts
Large HTTP POST requests to router management interface

Network Indicators:

Unusual outbound connections from router to external IPs
DNS queries to suspicious domains from router
Port scanning originating from router

SIEM Query:

source="router.logs" AND (http_status=500 OR process="httpd" AND event="crash")

📊 Metadata

CVE ID: CVE-2021-44158

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: January 3, 2022

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-5431-d23be-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-5431-d23be-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44158, you might also want to check these: