The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Organizations that have implemented the "Log in with Microsoft" feature in their Microsoft Azure Active Directory environments could potentially be vulnerable to an authentication bypass that opens the door to online and cloud account takeovers.

According to researchers at Descope, who dubbed the attack "nOAuth," the issue is an authentication implementation flaw that affects multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. A successful attack gives a bad actor full run of a victim's accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.

"OAuth and OpenID Connect are open, popular standards which millions of Web properties already use," says Omer Cohen, CISO at Descope. "If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted."

**Inside the nOAuth Cyberattack Threat**

By way of background, OAuth is an open, token-based authorization framework that allows users to log into applications automatically, based on previous authentication to another trusted app. This is familiar to most people from the "Log in with Facebook" or "Log in with Google" options available on many e-commerce websites.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps.

"Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols," according to the Descope analysis. In other words, it holds the keys to a lot of important corporate data.

The weakness allows bad actors to perform cross-platform spoofing simply by using an unwitting victim's email address to impersonate them, according to Descope's analysis on the issue, released this week.

"In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications," explained researchers at Descope. "However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, so it cannot be trusted."

That means that anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under "Contact Information" in that account to control the email authentication claim.

"\[This\] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate," the researchers explained. "They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication."

The attack flow is unnervingly simple:

1.  The attackers accesses their Azure AD account as an administrator.
2.  The attackers change the "email" attribute of their account used for authentication to the victim’s email address.
3.  Since Microsoft does not require the email change to be validated on Azure AD, the system merges the two accounts and gives the attackers access to the victim's environment.

**A Far-Ranging Authentication Weakness**

To better understand the scope of the problem, the Descope researchers created a nOAuth proof-of-concept (PoC) exploit and tested it "with a white-hat attack on hundreds of websites and applications to check if any of them were vulnerable," they said. "We found that quite a few of them were."

Amid the sitting ducks were a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, as well as several SMBs and early-stage startups.

"We also informed two authentication platform providers that were merging user accounts when 'Log in with Microsoft' was used on an existing user account," according to the report. "In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using 'Log in with Microsoft' would have been vulnerable."

These findings, according to the researchers, "are a drop in the ocean of the Internet," and there are likely many, many thousands of other users that could be affected.

Microsoft has always issued general guidance to users to not to use an email address as a unique identifier for authentication, but after Descope informed Microsoft of the breadth of the issue, the computing giant has revamped its Azure AD OAuth implementation guidance to include two new claims to use, and dedicated sections on claim verification.

"If your app uses 'Log in with Microsoft' and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier," Cohen notes. "If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the 'sub' (Subject) claim to avoid potential exploitation."

**Incorrect OAuth Implementations Plague Businesses**

Incorrect implementations of OAuth have been coming to light at big businesses lately, showcasing a need for organizations to lock down this potentially damaging attack vector.

In March, for instance, flaws in the authorization system of the Booking.com website came to light that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

And in May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of any users that used various and social media accounts to log in to an online service that uses the framework.

Cohen underscores that the OAuth standard and others like it are trustworthy and strong authentication approaches but that businesses need to make sure to work with cybersecurity and authentication experts when building them in.

"These standards are extremely complicated to work with," he says. "Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application."

He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts."

He stresses that the importance of this can't be understated, given that cybercriminals are actively looking for these types of weaknesses.

"These are very typical attack vectors exploited," Cohen notes. "Attackers use these to cause widespread harm."

He adds, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."

Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands

By Deeba Ahmed
The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them…
This is a post from HackRead.com Read the original post: First Directory of Virtual CISO Providers Launched by Cynomi

The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them find and engage with the right vendor.

TEL AVIV, ISRAEL, JUNE 22, 2023  – The industry’s first-ever directory of virtual Chief Information Security Officer service providers has gone live today at www.thevcisodirectory.com.

This extensive list of virtual CISO (vCISO) providers, collated by Cynomi, means that small- and medium-sized businesses (SMBs) can easily tap the expertise of qualified cybersecurity professionals to protect their digital assets and ensure compliance.

Cyberattacks are on the rise, with Check Point Software’s Mid-Year Security Report revealing a 42% global increase in malicious incidents during the first half of 2022. In this climate, strong cybersecurity measures are crucial. However, most small and medium size companies do not have a CISO of their own, usually because they lack the budget to fill such a position.

This problem is compounded by the talent gap that makes it difficult to find individuals with the necessary skill and specialized experience. According to research by Datto, only 50% of SMBs have a dedicated, internal IT person who manages their cybersecurity needs.

To address this gap and help organizations shore up their cyberdefenses, managed service providers (MSPs,) managed security service providers (MSSPs) and consultancies have developed vCISO services.

They enable businesses to avail themselves of the expertise and skills of a professional CISO to improve their cybersecurity posture, while only paying for an agreed scope of work, usually a fraction of the cost of an in-house security expert. Cynomi, by publishing the industry’s first vCISO directory, is making it simple for businesses to access this expanding pool of resources.

At launch, the vCISO directory contains more than 200 listings of U.S.-based providers, together with details on the specific services they offer and the technology platforms they use to guide and implement their security strategies. The directory will be continually updated and expanded globally to incorporate international providers. 

“Thousands of small and mid-sized businesses globally could benefit from the expertise and support of a traditional CISO, but on a more consultative or part-time basis”, said David Primor, co-founder and CEO of Cynomi. “This is where the vCISO services come in. Our new directory enables businesses to find all vCISO service providers in one place and make an informed choice between the different benefits of the many providers available.”

“Couple of years back we weren’t prioritizing our cybersecurity services, but then we started getting consistent security-as-a-service requests,” said Chris Bevil, CISO of InfoSystems, an MSP located in Tennessee, U.S.A. “We realized that setting up a robust vCISO offering was in our best business interest. In the present climate, this has been a significant boost to our business and positioned us as a leading MSP in our region.”

MSPs and MSSPs offering vCISO services that are not yet included in the directory can submit their details for consideration here. 

**About Cynomi**

Cynomi’s AI-driven platform empowers MSSPs, MSPs and consultancies to offer vCISO services to SMEs at scale and provide them with proactive cyber resilience. Combining proprietary AI algorithms with CISO-level knowledge and knowhow, Cynomi’s platform streamlines the vCISO’s work while automating manual time-consuming tasks including risk assessment, compliance readiness, cyber posture reporting, creation of tailored security policies and remediation plans, as well as task management optimization. 

Cynomi helps partners overcome the cybersecurity skill gap and scale their business, allowing them to offer new services, upsell and increase revenues while reducing operational costs. 

Established in 2020 with the vision that every company deserves a CISO, and with a channel-only approach, Cynomi now serves more than 50 partners worldwide. 

To learn more about Cynomi’s solution for MSPs, MSSPs, and cyber consultancies visit www.cynomi.com.

*   Rotem Shemesh, VP of Marketing, Cynomi
*   rotem@cynomi.com

First Directory of Virtual CISO Providers Launched by Cynomi

Why Data Exfiltration Detection is Paramount?
The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This

Network Security / Machine Learning

****Why Data Exfiltration Detection is Paramount?****

The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This article highlights this challenge and expounds on the benefits that Machine Learning algorithms and Network Detection & Response (NDR) approaches bring to the table.

Data exfiltration often serves as the final act of a cyberattack, making it the last window of opportunity to detect the breach before the data is made public or is used for other sinister activities, such as espionage. However, data leakage isn't only an aftermath of cyberattacks, it can also be a consequence of human error. While prevention of data exfiltration through security controls is ideal, the escalating complexity and dispersion of infrastructures, accompanied by the integration of legacy devices, makes prevention a strenuous task. In such scenarios, detection serves as our ultimate safety net – indeed, better late than never.

****Addressing the Challenge of Detecting Data Exfiltration****

Attackers can exploit numerous security gaps to harvest and exfiltrate data, employing protocols like DNS, HTTP(S), FTP and SMB. The MITRE ATT&CK framework describes many such exfiltration attack patterns. However, keeping pace with every protocol and infrastructure modification is a daunting task, complicating the integration towards holistic security monitoring. What's needed is device- or network-specific volume-based analysis of relevant thresholds.

This is where Network Detection & Response (NDR) technology steps in. ML-driven NDR allows for essential network monitoring by providing two significant properties:

1.  They enable feasible monitoring of all related network communications – the bedrock of comprehensive data exfiltration monitoring. This covers not only internal-external system interactions but also internal communications. While some attack groups exfiltrate data directly to the outside, others employ dedicated internal exfiltration hosts.
2.  Machine learning algorithms aid in context-specific learning of diverse thresholds for varying devices and networks, crucial in the current diverse infrastructure landscape.

****Decoding Machine Learning for Data Exfiltration Detection****

Before Machine Learning, thresholds for specific networks or clients were manually set. Consequently, an alert was triggered when a device sent more than the specific threshold of data outside the network. However, Machine Learning algorithms brought several advantages for data exfiltration detection:

1.  Learning the network traffic communications and the upload/download behavior of clients and servers, providing the essential baseline for anomaly detection.
2.  Establishing suitable thresholds for different clients, servers, and networks. Defining and maintaining these thresholds for each network or client group would otherwise be a tedious task.
3.  Recognizing changes in learned volume profiles, and detecting outliers and suspicious data exchanges, either internally or between internal and external systems.
4.  Employing scoring mechanisms to quantify outliers, correlating the data with other systems, and generating alerts for identified anomalies.

Visualization: When the traffic volume surpasses a certain threshold, as determined by the learned profile, an alert will be triggered.

****ML-driven Network Detection & Response to the Rescue****

**Network Detection & Response (NDR)** solutions provide a comprehensive and insightful method to detect abnormal network activities and unexpected surges in data transmission. Leveraging Machine Learning (ML), these solutions establish a network communication baseline, facilitating the swift identification of outliers. This applies to volume analysis and covert channels alike. Through this advanced, proactive stance, NDRs can detect the initial signs of intrusion, often well before data exfiltration transpires.

One NDR solution, distinguished by its precise data volume monitoring, is **ExeonTrace**. This Swiss NDR system, driven by award-winning ML algorithms, passively inspects and analyzes network traffic in real time, identifying potentially risky or unauthorized data movement. Moreover, ExeonTrace integrates seamlessly with existing infrastructure, thereby eliminating the necessity for additional hardware agents. The advantages of ExeonTrace extend beyond mere security, aiding in the comprehension of regular and anomalous network behavior – a critical factor in establishing a robust and efficient security posture.

ExeonTrace Platform: Data Volume Outlier Detection

****Key Takeaways****

In today's digital landscape, networks are continually expanding, and vulnerabilities are escalating. As a result, effective data exfiltration detection becomes indispensable. However, with the complexity of modern networks, setting manual thresholds for outlier detection can not only be cumbersome but also virtually impossible. Through volume-based detections and traffic behaviour monitoring, one can identify data exfiltration, pinpointing abnormal alterations in data volume and upload/download traffic patterns. Herein lies the power of Machine Learning (ML) in Network Detection & Response (NDR) systems: it automatically identifies infrastructure-specific thresholds and outliers.

Among these NDR solutions, ExeonTrace stands out, offering comprehensive network visibility, effective anomaly detection, and a fortified security stance. These features ensure that business operations proceed with security and efficiency. **Request a demo** to find out how to leverage ML-driven NDR to detect data exfiltration and anomalous network behaviours for your organisation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Unveiling the Unseen: Identifying Data Exfiltration with Machine Learning

A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.

Small and midsized businesses (SMBs) have some security work ahead as two major edge device vendors (Asus and Zyxel) announce critical security vulnerabilities to patch — and another (Western Digital) cuts off unpatched devices from the cloud.

Asus released new firmware on June 19 to fix nine separate vulnerabilities in several of the company's router models, one of which could let a cyberattacker gain code execution ability. Two of the most serious flaws are a critical memory corruption weakness in the Asus router firmware, tracked under CVE-2022-26376, and the second could allow a threat actor to "achieve arbitrary code execution," according to NIST, and dates back to 2018, tracked under CVE-2018-1160.

The same day, Western Digital announced it has blocked devices running unpatched firmware from its cloud as of June 15.

A severe vulnerability impacting Western Digital's MyCloud Home and other cloud storage devices could lead to remote code execution, according to NIST. Despite the fact that the bug, tracked under CVE-2022-36327, received a CVSS vulnerability-severity score of 9.8 out of 10, the flaw was known to the public for a full month before affected devices were blocked from accessing the Western Digital cloud.

Also this week, Zyxel released patches against code-injection vulnerabilities in three versions of its network-attached storage devices. The firmware command injection vulnerability is tracked under CVE-2023-27992 and could let an unauthenticated user execute operating system commands.

**SMB Edge Cyberattack Surface Explodes **

This glut of edge-device patch warnings this week showcases the fact that SMBs are increasingly at risk thanks to the exploding number of edge devices being connected to their networks. For an idea of the scale of the endpoint attack surface, experts put the number of active Internet of things (IoT) and edge devices around the world at more than 12 billion. That number is expected to hit 27 billion by 2025.

At the same time, many of these organizations are largely woefully lacking in basic cybersecurity hygiene and monitoring. At first, edge devices can seem like an economic choice for building out an SMB infrastructure, but they are much tougher to secure, explains Melissa Bischoping, director, endpoint security research at Tanium.

"For small businesses, using small-office-home-office (SOHO) routers and devices is often a cost-effective solution," she says, "but the lack of monitoring and centralized management in many of these devices can result in vulnerabilities and insecure configurations that provide easy access to an adversary."

Meanwhile, never ones to miss an opportunity, threat actors are making the most of this sweet spot.

“Edge infrastructure is an incredibly attractive target for attackers because it generally lacks the depth of monitoring and visibility that endpoints have, and is always public facing by design, removing an initial hurdle for access,” Bischoping explains.

Making these devices an even softer mark, many are built with open source components, says John Gallagher, vice president of Viakoo Labs.

"Edge devices like routers, NAS drives, IP cameras, and other IoT/OT systems are the fastest growing part of an organization’s attack surface due to their use of open source software components and often being unmanaged and unmonitored," Gallagher explains. “Traditional IT security solutions that are agent-based don't work for IoT/OT devices which require agentless solutions."

**How SMBs Can Secure the Edge**

Securing the SMB edge starts with knowing what there is to protect, according to Gallagher.

"First, make sure you have a complete inventory of devices by using an agentless asset discovery solution," Gallagher says.

Once cybersecurity teams have visibility into what there is to defend, that information can be used to direct resources effectively, Bischoping adds.

"Prioritize visibility of the edge assets and leverage that information to address patching, credential management, and configuration hardening as part of your ongoing security hygiene and controls," she says. "Other quick wins include ensuring you’ve rotated default login credentials on these devices, employed secure authentication mechanisms, and enforced least-privilege access for any accounts that may log in to those devices."

And, to handle with firmware and password updates at the scale required for IoT and edge devices, Gallagher recommends an automated approach.

Commenting on how SMBs can manage the edge more effectively, organizations should also consider whether devices need to be connected to the Internet, or would be better suited for a more secure internal network connection, advises Matthew Morin, senior director of product management with NetRise.

"In the case of many vulnerabilities announced by Asus, Zyxel, and Western Digital, ensuring the affected devices were only accessible via internal networks would have dramatically reduced the impact of the vulnerabilities," Morin recommends. "SMBs must understand what is publicly disclosed from their networks and regularly review if what is exposed needs to be there."

Teams should also look for devices with no particular owner or purpose and pull the plug. "Lastly, ensure that devices have clear ownership and tracking of their lifecycle management, so that devices that go end of life or end of support can be replaced before they get exploited." Gallagher adds.

Once those processes are in place, Morin says the next step for more mature organizations is incorporating software bills of materials (SBOMs) for added visibility.

"For more mature organizations, a good next step is ensuring that they have component-level visibility, such as an SBOM for network-connected devices," Morin adds. "In this case, with an SBOM, an organization could have been aware of this risk well before the vendor decided to patch the issue."

SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings

A threat you've never heard of is using double extortion attacks on mom-and-pop shops around the globe.

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web.

Since at least April 2022, 8base — not to be confused with the Florida-based software company of the same name — has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organizations on the cyber underground.

It didn't end there. "We've been keeping an eye on what they're doing, and this month they're busy again," says Matt Hull, global head of threat intelligence at NCC Group. 8base has already doxxed 29 new businesses this month.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. According to data scraped from their leak site, those victims include a British cleaning company, a sanitation company in Egypt, a private school in a Boston suburb, and a CPA in New York, among others of a similar profile.

The victims span science and technology, manufacturing, retail, construction, healthcare, and more. They're wisely distributed geographically as well: a shipping company in India, a Peruvian gift basket company, and a corrugated cardboard manufacturer in Madagascar. The majority, however, are focused in North America — around a third of the total — and South America. A dozen victims in both May and June were based in Brazil, in line with a recent wave of Brazilian cyberattacks more generally.

**How 8base Conducts Its Business**

With little yet known about 8base (it's part of a wave of ransomware newbies entering the market), one aspect of the group that is very clear is their preferred mode of operation. In a terms-of-service section of their leak site (see graphic), the group laid out 13 rules for their victims and themselves, written in ersatz legalese: "Participation of police departments is prohibited," and "Personal data will not be shared with third parties by the team."

    

Source: Hackmanac

Whether the gang is as honest as it would like you to think is another matter. On the About Us page, the hackers perfidiously claim, "We are honest and simple pentesters," adding that "this list contains only those companies that have neglected the privacy and importance of the data of their employees and customers."

NCC's Hull says 8base is not the first group to operate like this. "I think it's a result of the successes that other groups are having with these types of tactics," he notes.

Though 8base isn't breaking any new ground, actually defending against their tried-and-true methods is another matter.

"Budgets are tight, particularly for the smaller organizations. These organizations aren't going to be able to pay for a SOC or other advanced detection capabilities," Hull notes. "The main thing that anyone can do, whether it's an individual or small business, is get the fundamentals right." He points to password hygiene, multifactor authentication, and social engineering awareness as three simple changes small businesses can make to better their security without breaking the bank.

"Getting a hold of the basics goes a long way," he adds.

Emerging Ransomware Group 8Base Doxxes SMBs Globally

Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.



**Severity**

Medium

**Vendor**

Cloud Foundry Foundation

**Description**

Cloud foundry team found that the kernel audit logging is enabled on some components due to which various lifecycle workflows in the platform that use admin or service credentials in invocations of binaries are picked up by the audit logging, which record arguments passed to binary invocations that access the filesystem. A malicious user may use these credentials to deploy apps on CF instance.

**Affected Cloud Foundry Products and Versions**

_Severity is medium unless otherwise noted._

*   CF NFS volume release
    *   5.0.x versions prior to 5.0.27
    *   7.1.x versions prior to 7.1.19
*   Notifications
    *   All versions prior to 63
*   SMB Volume
    *   All versions prior to 3.1.19

**Mitigation**

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

*   CF NFS volume release
    *   Upgrade 5.0.x versions to 5.0.27 or greater
    *   Upgrade 7.1.x versions to 7.1.19 or greater
*   Notifications
    *   Upgrade all versions to 63 or greater
*   SMB Volume
    *   Upgrade all versions to 3.1.19 or greater

**History**

2023-06-15: Initial vulnerability report published.

**Sign up for the  
Cloud Foundry Newsletter today!**

CVE-2023-20885: CVE-2023-20885: CF workflows leak credentials in system audit logs | Cloud Foundry

Windows SMB Witness Service Security Feature Bypass Vulnerability

CVE-2023-32021

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

**Hydra Network Logon Cracker 9.5**

Posted Jun 13, 2023

Authored by van Hauser, thc | Site thc.org

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

Changes: 2 updates to http-form, 1 fix for smb2, 1 fix for smtp, and 1 fix for rdp.

tags | tool, web, imap

systems | cisco, unix

SHA-256 | 9dd193b011fdb3c52a17b0da61a38a4148ffcad731557696819d4721d1bee76b

Download | Favorite | View

Hydra Network Logon Cracker 9.5

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications.

CVE-2023-31439: Releases · systemd/systemd

ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.

**BIOS & FIRMWARE**

*   Driver & Tools
*   BIOS & FIRMWARE

Firmware

ASUS RT-AX3000 Firmware version 3.0.0.4.388.23403

Version 3.0.0.4.388.23403

92.17 MB

2023/05/31

New features:  
\-Built-in Surfshark in VPN Fusion allows you to surf the internet anonymously and securely from anywhere by encrypting connections. Please refer to https://asus.click/SurfsharkVPN

\-iPhone/Android USB auto backup WAN allows you to connect your phone to the router’s USB port and use it as an internet source. Please refer to https://asus.click/AutobackupWAN

\-DDNS transfer allows you to transfer your ASUS DDNS hostname from your original router to the new one. Please refer to https://asus.click/ASUSDDNS

Bug fixes and functionality modifications:  
\-Resolved the issue with login and password changes.  
\-Resolved the IPSec VPN connection issues.  
\-Resolved the Instant Guard connection issues.  
\-Fixed the AiCloud login issue after unplugging and plugging the HDD into the USB port.  
\-Fixed the issue where Traffic Analyzer sometimes couldn't record data.  
\-Fixed the time display issue for the preferred upgrade time in the Auto Firmware Upgrade function.  
\-Fine-tuned the description for port status.  
\-Enabled DynDNS and No-IP DDNS to use IPv6.  
\-Fixed AiMesh preferred AP identification in site survey results.  
\-Updated timezone list for Greenland, Mexico, and Iran.  
\-Modified the USB application option text in dual WAN.  
\-Allowed WireGuard Server clients to access the Samba server.  
\-Fixed memory leak issue.  
\-Enabled the failback function when using the iOS/Android USB backup WAN.  
\-The ARP response issue has been resolved, along with the connection issue between the router and the ROG Phone 6 and 7.  
\-Resolved the issue where the USB path is not displayed on the Media Server page in the AiMesh node

Security updates:  
\-Enabled and supported ECDSA certificates for Let's Encrypt.  
\-Enhanced protection for credentials.  
\-Enhanced protection for OTA firmware updates.  
\-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.  
\-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.  
\-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.  
\-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.  
\-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.  
\-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.  
\-Fixed the vulnerability in the logmessage function. Thanks to Swing and Wang Duo from Chaitin Security Research Lab C0ss4ck from Bytedance Wuheng Lab, Feixincheng from X1cT34m.  
\- Fixed CVE-2023-31195

Please unzip the firmware file, and then verify the checksum.  
SHA256: 5975e675481949dd7a9a29e3e3cb9f3fdd1aa7e757f1fef1f4e40073dee843fe

ASUS RT-AX3000 Firmware version 3.0.0.4.388.22525

Version 3.0.0.4.388.22525

90.61 MB

2023/02/16

1.Fixed CVE-2022-46871  
2.Fixed Client DOM Stored XSS.  
3.Improved AiMesh backhaul stability.  
4.Fixed AiMesh topology UI bugs.  
5.Fixed the reboot issue when assigning specific clients in VPN fusion.  
6.Fixed the VPN fusion bug when importing the Surfshark WireGuard conf file.  
7.Fixed network map bugs.

Please unzip the firmware file first then check the MD5 code.  
MD5: 5532bb77bc2afc51c85b76bb7d4f3f1a

ASUS RT-AX3000 Firmware version 3.0.0.4.388.22237

Version 3.0.0.4.388.22237

90.6 MB

2023/01/11

1\. Supported WireGuard VPN server and client.  
2\. Supported VPN fusion. It can easily achieve VPN connection to network devices like Smart TV, Game consoles and without installing the VPN client software.  
3\. Supported new devices connection notification.  
4\. Supported connection diagnostic on the ASUS router app.  
5\. Supported Instant Guard 2.0 which helps easily invite family or friends to join the VPN connection.  
6\. Upgraded parental control and added reward, new scheduler for flexible setting  
7\. Fixed USB icon issue in port status.  
8\. Fixed HTTP response splitting vulnerability. Thanks to Efstratios Chatzoglou, University of the Aegean.  
9\. Fixed status page HTML vulnerability. Thanks to David Ward.  
10\. Fixed CVE-2018-1160. Thanks to Steven Sroba.  
11\. Fixed cfg\_server security issue.

Please unzip the firmware file first then check the MD5 code.  
MD5: cae183e7cb66cb79af55dc6295be2fe1

ASUS RT-AX3000 Firmware version 3.0.0.4.386.49674

Version 3.0.0.4.386.49674

107.1 MB

2022/07/21

1\. Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-26376,CVE-2021-34174, CVE-2022-26376,CVE-2022-0778  
2\. Fixed CVE-2018-1160. Thanks to Steven Sroba  
3\. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.  
4\. Fixed anomalous 802.11 frame issues.  
Thanks to Kari Hulkko and Tuomo Untinen from The Synopsys Cybersecurity Research Center (CyRC). Issue was found by using Defensics Fuzz Testing Tool.  
5\. Fixed v6plus issues.  
6\. Added 3rd party DNS server list in WAN --> DNS to help users enhance the connection security.  
7\. Supported Safe Browsing in the router app to filter explicit content from search results. You can set it in the router app --> Devices or Family.  
8\. Improved system stability.

Please unzip the firmware file first then check the MD5 code.  
MD5: e6585b0748c26aec8e5a4625affc2ca3

ASUS RT-AX3000 Firmware version 3.0.0.4.386.48908

Version 3.0.0.4.386.48908

107.59 MB

2022/05/24

1.Fix IPv6+ related issues  
2.Improve system stability  
3.GUI bugs fixed.

Please unzip the firmware file first then check the MD5 code.  
MD5: 84eda699d7ebe5ae552499768b71823d

ASUS RT-AX3000 Firmware version 3.0.0.4.386.48631

Version 3.0.0.4.386.48631

107.63 MB

2022/04/22

1\. Fixed AiMesh dose not work properly.  
2\. Fixed OpenSSL CVE-2022-0778  
3\. Added more security measures to block malware.  
4\. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.  
5\. Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597  
6\. Fixed CVE-2021-34174

Please unzip the firmware file first then check the MD5 code.  
MD5: 901eaf86a2b1188f5e6019455f9b1884

ASUS RT-AX3000 Firmware version 3.0.0.4.386.47029

Version 3.0.0.4.386.47029

108.19 MB

2022/01/10

1\. Fixed v6plus related issues  
2\. Firewall supports IPv6 list.  
3\. Fixed the case of some ISP only can get the private IPv6 address.  
4\. Minor GUI bug fixes.  
\*Due to core software module upgrade, if you wanna to upgrade to this version, please must update your router to 3.0.0.4.386.45898 first.

Please unzip the firmware file first then check the MD5 code.  
MD5:A35D678FCA72D8536F3F126AA0E4D88A

ASUS RT-AX3000 Firmware version 3.0.0.4.386.45898

Version 3.0.0.4.386.45898

53.31 MB

2021/10/07

1\. Fixed AiMesh web page multi-language issues.  
2\. Fixed Let's encrypt issues.  
3\. Fixed Stored XSS vulnerability.  
4\. Fixed CVE-2021-41435, CVE-2021-41436.  
Thanks to Efstratios Chatzoglou, University of the Aegean  
Georgios Kambourakis, European Commission at the European Joint Research Centre  
Constantinos Kolias, University of Idaho.  
5\. Fixed Stack overflow vulnerability. Thanks to Jixing Wang (@chamd5) contribution.  
6\. Fixed information disclosure vulnerability .Thanks to CataLpa from DBappSecurity Co.,Ltd Hatlab and 360 Alpha Lab contribution.

Please unzip the firmware file first then check the MD5 code.  
MD5: 4b80f4f7c3bbf390dada553702f4879c

Show all

Tag

#samba