What's new

RT-68U (Firmw 384.8.2) Vulnerabilities revealed by zANTI

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

brumac

Occasional Visitor
Good morning, I am not an expert and need help.
Yesterday I tested the vulnerabilities of my RT-68U (Firmware Asuswrt-Merlin 384.8.2) with zANTI.
Result:
Vulnerabilities (3):
smb-vuln-cve2009-3103,
http-slowloris-check, http-method-tamper
Do I have to change the configuration?
What should I do?
Greetings to everyone!
PS Google translator
 
For starters, run the Router Security Assessment on the AIProtection page.

Did you look up the CVE on Google?

Have you got SAMBA share enabled under USB Application?
 
Last edited:
I looked for CVE on Google. I did not understand anything. I apologize for my ignorance.
In AIProtection page Enabled AiProtection is OFF! Router Security Assessment gives me 3 Risk:
Malicious Website Blocking enabled
No
Vulnerability Protection enabled -
No
Infected Device Prevention and Blocking
No
Better to activate everything? Can I trust Trend Micro?
Thanks a lot for the answer!
Bruno
 
I looked for CVE on Google. I did not understand anything. I apologize for my ignorance.
In AIProtection page Enabled AiProtection is OFF! Router Security Assessment gives me 3 Risk:
Malicious Website Blocking enabled
No
Vulnerability Protection enabled -
No
Infected Device Prevention and Blocking
No
Better to activate everything? Can I trust Trend Micro?
Thanks a lot for the answer!
Bruno

It’s optional. It will ask you to read and accept the EULA before AiProtect features are enabled. Read it well before deciding. The router will send a significant amount of data, including all of your web browsing, to TrendMicro (which is a reputable well known AV company).

Merlin trusts them enough to use AiProtect. Personally I don’t and evidence shows they’ve been negligent in the recent past. In September of 2018 a lot of their software was removed from the Apple Mac App Store because it was literally Chinese Spyware. They outsource product development and don’t bother to check if it’s safe. Shame on Apple too for letting it into their App Store. Read up on it.

”Apple has removed almost all popular security apps offered by well-known cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent...” - from https://thehackernews.com/2018/09/apple-trendmicro-macos-apps.html?m=1

Besides that opting into aggressive network-level data collection seems like a bad idea.
 
I looked for CVE on Google. I did not understand anything. I apologize for my ignorance.
In AIProtection page Enabled AiProtection is OFF! Router Security Assessment gives me 3 Risk:
Malicious Website Blocking enabled
No
Vulnerability Protection enabled -
No
Infected Device Prevention and Blocking
No
Better to activate everything? Can I trust Trend Micro?
Thanks a lot for the answer!
Bruno
I didn’t realise you had to enable AIProtection to run the security scan. So you could turn it on, run the scan and then turn it off if you wanted. But I’ve run all the AIProtection modules for several years without any qualms. And I remember a few years back that Merlin said he had run (or runs) most if not all the modules without hesitation. What’s good enough for Merlin is more than good enough for me.
 
I looked for CVE on Google. I did not understand anything. I apologize for my ignorance.
In AIProtection page Enabled AiProtection is OFF! Router Security Assessment gives me 3 Risk:
Malicious Website Blocking enabled
No
Vulnerability Protection enabled -
No
Infected Device Prevention and Blocking
No
Better to activate everything? Can I trust Trend Micro?
Thanks a lot for the answer!
Bruno

My memory isn’t quite up to speed: Merlin wrote, “I don't use the Infected Device detection. I only use the Vulnerability Protection feature.”. Nevertheless, I’m fairly certain that, in other posts over the years, Merlin has said words to the effect of his trusting AIProtection or certainly not distrusting it.

Anyway, have a look on the forum and see what the consensus is eg:

https://www.google.com/search?q=asu...HM-wKHTpgDqUQrQIoBDAAegQIBBAJ&biw=320&bih=548
 
Last edited:
Considering cve2009-3103 specifically targets Windows, I doubt your scanning software is doing a good job at determining real issues there, as your router is using Samba, a completely different daemon. This is a false positive.
 
I've been using Merlins firmware for several years, first on the N66U, then the AC68U, now on the AC86U. I have AIProtection enabled, SAMBA share enabled and guest login enabled. It's the only way I can access the Toshiba portable hard drive connected to the router. Nothing on it but backups. I'm still working on that. Mostly a learning thing. I trust Merlins firmware and haven't had any problems with it. We live out in the sticks, closest neighbor is 1/4 mile away. I'm nobody from nowhere Arkansas. If the Chinese or anybody else wants to know that I shop at Amazon, and Wal-Mart, that I am a SNB forum member, a HowToGeek and Windows10 forum subscriber so be it. Who cares. A terrible waste of there time and resources.
 
I'm curious about it. I also trust the Merlin Firmware and I do not even have to hide.
Thinking about vulnerabilities, they are perhaps false positives because I have not said one important thing:
I have configured on my rt-68u VPN client (NordVPN) and also OpenVPN server (to communicate with my home network remotely)
Perhaps it is the VPN that opens some protocols that then turn out to be false positives:
Sorry for my ignorance on the subject and for my English!
 
443 tcp open https syn-ack

http-method-tamper VULNERABLE:
Authentication bypass by HTTP verb tampering
State: VULNERABLE (Exploitable)
This web server contains password protected resources vulnerable to authentication bypass
vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
common HTTP methods and in misconfigured .htaccess files.

Extra information:

URIs suspected to be vulnerable to HTTP verb tampering:
/ [HEAD]

References:
http://capec.mitre.org/data/definitions/274.html
http://www.imperva.com/resources/glossary/http_verb_tampering.html
https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)
http://www.mkit.com.ar/labs/htexploit/
How to solve vulnerabilities?
 
443 tcp open https syn-ack

http-method-tamper VULNERABLE:
Authentication bypass by HTTP verb tampering
State: VULNERABLE (Exploitable)
This web server contains password protected resources vulnerable to authentication bypass
vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
common HTTP methods and in misconfigured .htaccess files.

How to solve vulnerabilities?
Configure your router to allow HTTP access only through the local area network.
 
How do I configure the RT68U router (Asuswrt-Merlin firmware) to allow HTTP access only through the local network? I do not know where to change this setting.
Thank you!
 
How do I configure the RT68U router (Asuswrt-Merlin firmware) to allow HTTP access only through the local network? I do not know where to change this setting.
Thank you!
On my RT-AC68U, the setting is
Advanced Settings | Administration | System | Enable Web Access from WAN
It is located at the very bottom of the System page.
 
Now I checked: Remote Access Config:
Enable Web Access from WAN: No
Firmware bug or depends on the OpenVPN (NordVPN) configuration on TCP port 443?!
 
OK! I was referring to (Firmware bug or depends on the OpenVPN (NordVPN) configuration on TCP port 443?!) :
443 tcp open https syn-ack
http-method-tamper VULNERABLE:
Authentication bypass by HTTP verb tampering
State: VULNERABLE (Exploitable)
This web server contains password protected resources vulnerable to authentication bypass
vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
common HTTP methods and misconfigured .htaccess files.
Do you recommend installing Skynet (firewall)?
 
Last edited:
OK! I was referring to (Firmware bug or depends on the OpenVPN (NordVPN) configuration on TCP port 443?!) :
443 tcp open https syn-ack
http-method-tamper VULNERABLE:
Authentication bypass by HTTP verb tampering
State: VULNERABLE (Exploitable)
This web server contains password protected resources vulnerable to authentication bypass
vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
common HTTP methods and misconfigured .htaccess files.
Do you recommend installing Skynet (firewall)?


I can’t help you with the bulk of your post, as for the last sentence, Skynet has a lot of very satisfied customers. Read here, both the question and the answer: it will give you a quick insight. https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/page-194#post-459552


Where did the vulnerability assessment in your post come from?
 
I tested the vulnerabilities of my RT-68U (Firmware Asuswrt-Merlin 384.8.2) with zANTI:
443 tcp open https syn-ack
http-method-tamper VULNERABLE:
Authentication bypass by HTTP verb tampering
State: VULNERABLE (Exploitable)
So to install Skynet I have to format a USB pen drive in ext4 and then where do I download Skynet and how do I install it?
Thanks!
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top