Don Vrooman
New Around Here
I have a number of ASUS routers I have updated to firmware versions 3.0.0.4.382.50470 or 50702 - these are typically older routers like the single core AC66U/R, N66U/R, AC1750, etc. With the these two firmware versions, the OpenVPN passwords are hidden in the Username/Password table, and a "-" appears in the Password column for all entries.
Of concern: after running for a number of weeks, and then entering a new client username and password, all passwords except for admin and the newest one entered actually become "-" (a dash). This renders the VPN insecure, and could probably become one of those Shodan searches that would make this vulnerability broadly available.
When reported to ASUS, they assured me they could not replicate the problem.
Happens without regard to the kind of connection: TCP/UDP, Tun/Tap, etc., and without regard to the client (OpenVPN, OpenVPN Connect, Viscosity, Tunnelblick, etc.) or client OS (iOS, Win 7/10, Android, macOS).
Anyone share this experience?
UPDATE
A hard reboot "fixes" the problem, so after adding, changing, or deleting usernames or passwords, power the device off and after a short wait, back on.
Of concern: after running for a number of weeks, and then entering a new client username and password, all passwords except for admin and the newest one entered actually become "-" (a dash). This renders the VPN insecure, and could probably become one of those Shodan searches that would make this vulnerability broadly available.
When reported to ASUS, they assured me they could not replicate the problem.
Happens without regard to the kind of connection: TCP/UDP, Tun/Tap, etc., and without regard to the client (OpenVPN, OpenVPN Connect, Viscosity, Tunnelblick, etc.) or client OS (iOS, Win 7/10, Android, macOS).
Anyone share this experience?
UPDATE
A hard reboot "fixes" the problem, so after adding, changing, or deleting usernames or passwords, power the device off and after a short wait, back on.
Last edited:
