CVE-2023-39780

Name of the Vulnerable Software and Affected Versions ASUS RT-AX55 version 3.0.0.4.386.51598

Description The issue is related to an authenticated command injection vulnerability. This vulnerability allows a remote attacker to execute arbitrary system commands. Over 9,000 ASUS routers have been compromised by a botnet named "AyySSHush," which exploits this vulnerability to add a persistent SSH backdoor, allowing continued access even after firmware updates. The attackers use a combination of brute-force login attempts and authentication bypass methods, including the exploitation of the command injection vulnerability, to gain access to the routers. They then enable SSH access on a non-standard port (TCP/53282) and install a malicious public key for remote access. The backdoor is stored in the router's NVRAM, ensuring its persistence even after firmware updates or system reboots. The attackers also disable logging to avoid detection.

Recommendations To resolve the issue for ASUS RT-AX55 version 3.0.0.4.386.51598, update the firmware to the latest version. Additionally, check for and remove any unauthorized SSH keys, and block the IP addresses 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237. If necessary, reset the device to its factory settings and reconfigure it. As a temporary workaround, consider disabling SSH access on the non-standard port (TCP/53282) until a patch is available. Restrict access to the vulnerable

authorized keys

file to minimize the risk of exploitation. Avoid using the

SSH

protocol until the issue is resolved.