CVE-2021-20090 Vulnerability

[Phantomski]

Would this CVE also affect Merlin’s firmware, or is this just part of the original Asus code, not embedded in the custom version?

https://www.tenable.com/cve/CVE-2021-20090
https://www.bleepingcomputer.com/ne...passes-authentication-on-millions-of-routers/

 

[ColinTaylor]

There's nothing there that suggests this would be applicable to any of the Merlin supported routers, even when running stock firmware.

 

[RMerlin]

All the targeted devices run a different firmware, none of these are Asuswrt-based.

 

[Phantomski]

Great news, thanks guys. The four mentioned ASUS routers (albeit DSL versions) worried me a little, but good to know there are no hidden Arcadyan bits hidden in Asuswrt code.

 

[netware5]

It doesn't matter if Asus routers are vulnerable or not. The rule is very simple: no remote (WAN) access - no vulnerability. Remote (WAN) access to router's Web Interface shall not be enabled, full stop! If remote access is really needed the only secure solution is to use VPN.

 

[Phantomski]

Remote (WAN) access to router's Web Interface shall not be enabled, full stop! If remote access is really needed the only secure solution is to use VPN.

Absolutely.

That said, you can still execute an attack from vulnerable internal LAN device, via compromised WiFi, etc, etc. LAN only is neither a replacement nor mitigation for poor internal security, just creates smaller attack surface.

But as the saying goes, you have to succeed all the time. The attacker only once.