Asuswrt-Merlin Vulnerable?

[panhead20]

Asus new 5517 release documents these exploits;

http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html

http://seclists.org/fulldisclosure/2014/Apr/58

http://seclists.org/fulldisclosure/2014/Apr/59

Is Asuswrt-Merlin vulnerable and if so when release fix?

 

[jim769]

Asus has not released the 5517 for the 68U. And reading further it says 5047 for the 68U is the fix. Not sure if Merlin added the fixes to his latest betas or not.

 

[Chrysalis]

First isnt really a proper vuln, its someone making a noise about nothing.

If you need to be logged in to see the admin password, then its a none issue, as at that point you able to change the password, reset the device etc,. anyway.

Auto logout as a security measure, seems to be something to appease complainers, if anything auto logout is less secure as it forces repeated use of credentials and everytime credentials are used its a risk. Luckily it seems asus had the sense to make it optional.

The latter 2 are bugs but again since need to be logged in anyway, I dont consider them significant vulns, but of this will get hyped up and merlin will patch these in probably

 

[RMerlin]

The only vulnerability from that list present in 374.41 Beta is the password being in plaintext in the web interface source code. The other vulns were already fixed in 374_5047.

Mitigation methods against this remaining issue:

1) Enable HTTPS and disable HTTP, and use a different port than the standard 8443. That way, a malicious website will be unable to access your router's over Javascript, as it won't know the port to use
2) Don't stay logged on your router web interface unless you really have to. The only way a malicious website can exploit this is if you are currently logged on your router in a separate tab

This remaining vulnerability will only be fixed after the 374.41 release, since there is no source code available at this time for 5547.