CVE-2023-26602 – This vulnerability in ASUS ASMB8 iKVM firmware ... (How to Fix)

Q: What is the severity of CVE-2023-26602?

CVE-2023-26602 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ASUS ASMB8 iKVM firmware allows remote attackers to execute arbitrary code via SNMP commands that create malicious extensions. Attackers can achieve remote root access by using snmpset with NET-SNMP-EXTEND-MIB to execute shell commands. Organizations using ASUS ASMB8 iKVM devices with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability in ASUS ASMB8 iKVM firmware allows remote attackers to execute arbitrary code via SNMP commands that create malicious extensions. Attackers can achieve remote root access by using snmpset with NET-SNMP-EXTEND-MIB to execute shell commands. Organizations using ASUS ASMB8 iKVM devices with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

ASUS ASMB8 iKVM

Versions: Through 1.14.51

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with SNMP enabled (often default). iKVM devices are typically used for server management.

📦 What is this software?

Asmb8 Ikvm Firmware by Asus

View all CVEs affecting Asmb8 Ikvm Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote root access, allowing attackers to install malware, exfiltrate data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to system takeover, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if SNMP access is properly restricted and network segmentation isolates iKVM devices.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication if exposed to internet.

🏢 Internal Only: HIGH - Still exploitable from internal network segments with SNMP access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available in multiple references. Attack requires SNMP access but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.14.51

Vendor Advisory: https://www.asus.com/support/

Restart Required: Yes

Instructions:

1. Check current firmware version via iKVM web interface. 2. Download latest firmware from ASUS support site. 3. Upload and apply firmware update through web interface. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Disable SNMP Service

all

Disable SNMP service on ASMB8 iKVM devices to prevent exploitation.

Access iKVM web interface > Network > SNMP > Disable SNMP service

Restrict SNMP Access

linux

Configure firewall rules to restrict SNMP access to trusted management networks only.

iptables -A INPUT -p udp --dport 161 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j DROP

🧯 If You Can't Patch

Isolate ASMB8 iKVM devices on separate VLAN with strict firewall rules blocking SNMP from untrusted networks.
Implement network monitoring for SNMP traffic to/from iKVM devices and alert on suspicious SNMP commands.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in iKVM web interface under System Information. If version is 1.14.51 or earlier, device is vulnerable.

Check Version:

snmpwalk -v2c -c public DEVICE_IP .1.3.6.1.2.1.1.1 (check system description for version)

Verify Fix Applied:

Verify firmware version shows higher than 1.14.51 after update. Test SNMP functionality to ensure service still works if needed.

📡 Detection & Monitoring

Log Indicators:

SNMP SET requests to NET-SNMP-EXTEND-MIB
Unusual process execution from SNMP service
Failed SNMP authentication attempts

Network Indicators:

SNMP traffic to port 161/UDP from unexpected sources
SNMP SET operations with shell commands in payload

SIEM Query:

source_port=161 AND (protocol=udp) AND (payload CONTAINS "NET-SNMP-EXTEND-MIB" OR payload CONTAINS "/bin/sh")

📊 Metadata

CVE ID: CVE-2023-26602

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 26, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/171137/ASUS-ASMB8-iKVM-1.14.51-SNMP-Remote-Root.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2023/Feb/15 Exploit,Mailing List,Third Party Advisory
https://nwsec.de/NWSSA-002-2023.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/171137/ASUS-ASMB8-iKVM-1.14.51-SNMP-Remote-Root.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2023/Feb/15 Exploit,Mailing List,Third Party Advisory
https://nwsec.de/NWSSA-002-2023.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26602, you might also want to check these: