Hey all,
I know that there was a lot of information flying back and forth about the security issues myself and others reported both this and last year. I only do this because I respect Merlins software, but was troubled by some of the comments on this thread here http://forums.smallnetbuilder.com/showthread.php?t=16741.
The Ars story I was not contacted about, and yes, as Merlin pointed out much of the story overlaps, confusing serval coexisting sec issues and didn't timelines. ASUS was made aware of the anon ftp default about a week after I made my first post in June of 2013. The clear text password and other bugs where fixed by ASUS in July of 2013, though as many know most end users will never actually update their gear. Not ASUS fault, though I believe that a better way to push patches can be developed.
As for the FTP issue, I disagree with Merlin about not being a bug, since no real proper documentation existed to alert people that activation of the FTP service was default to the world. Certainly I can understand his point of the technicalities of bug verus not bug, though CWE exists solely for poor implementation of of service authentication. As for the lack of CVE's, even though there is one, MITRE and I had a very heated disagreement last summer, ad hence stopd issuing me CVE's. That was due to me bypassing MITRE in July and going directly to DHS on the ASUS/WD/Linksys issue. They didn't like being circumvented, but yet do hold CVE's like awards they give to their more liked researchers. I digress, but to this day I can only get a CVE through US CERT. Since they (MITRE) are funded by homeland security, I made sure my displeasure was heard by those in the govt.
I take issue with some of the comments made on the other thread blaming the customers for not knowing how or what to lock down FTP service. While I strongly agree the avg consumer needs to be more knowledgable on what services do what, and they consequences of these services, I am not about to stand in judgment of the very many people who lost a lot by this bug. Anon default FTP is plan inexcusable, and I've made that complaint very clear to the FTC.
No router can ever be 100% secure, though I feel it really is time to stop this non-sense of selling remote management as a good thing, and some router company have the courage to end the silliness to managing routers away from home. Get a secure VPN box for that, because in the end embedded web apps are very hard to lock down, but rather easy to bypass.
Indeed, here is just a small listing of artifacts ASUS left in the AiCloud that are accessible without auth. Yes, they do take a rather high level of skill to exploit, but nevertheless, why are they in there.
(some dupes, some old firmware, some new firmware all AiCloud side)
/smb/css/upload.html
/smb/css/video.html
/smb/js/jplayer/
/smb/js/davclient.js/doc/
/smb/css/audio.html
/smb/tmp/etc/web/hdr.html
/smb/tmp/etc/web/ftr.html
/smb/js/davclient.js/test_client.html
/smb/js/davclient.js/dommer/example.html
/smb/js/davclient.js/dommer/run_tests.html
/smb/js/davclient.js/doc/davclient.html
/smb/js/davclient.js/minisax.js/example.html
/smb/css/makedir.html
/smb/js/davclient.js/test_fs.html
/smb/css/setting.html
/smb/css/rename.html
/smb/css/login.html
/smb/js/davclient.js/minisax.js/
/smb/tmp/etc/web/config.html
/smb/css/upload.html
/smb/css/video.html
/smb/js/jplayer/
/smb/js/davclient.js/doc/
/smb/css/audio.html
/smb/tmp/etc/web/hdr.html
/smb/tmp/etc/web/ftr.html
/smb/tmp/etc/web/config.html
/smb/js/davclient.js/test_client.html
/smb/js/davclient.js/dommer/example.html
/smb/js/davclient.js/dommer/run_tests.html
/smb/js/davclient.js/doc/davclient.html
/smb/js/davclient.js/minisax.js/example.html
/smb/css/sharelink.html
/smb/css/status-401.html
/smb/css/makedir.html
/smb/js/davclient.js/test_fs.html
/smb/css/setting.html
/smb/css/rename.html
/smb/css/login.html
/smb/js/davclient.js/minisax.js/
Not to mention that AiCloud on the older firmware, can be mounted as a WEBDAV share and a huge number of folders had unauth read write access, with trivial ways to execute files. Newer firmware can still be mounted, but they reduced what can be changed or executed. Should be no unauth webdav mounting, period.
Moreover, I've already defeated their Aicloud again using the ?mobile=1 feature, to access local samba shares. They may have fixed it now, don't know.
But back to the FTP thing, yes, they did know back last July and in my opinion they just never considered it a bug. Not until the PCWorld Norway editor approached them, did they lift a finger to fix it. Seems a bit shirtty to show the most concern only when the media is involved. A lot of people lost a lot of personal data, and still over 12k ftp sites still open. Not cool, and those that blamed the end users, I think that was a dick move. Be protective of ASUS fine, but lets call a spade a spade when we see one. None of them deserved what they got, not one.
People can say it's just business, and many of can say that its just as much in our right to call them out on BS when we see it.
I know that there was a lot of information flying back and forth about the security issues myself and others reported both this and last year. I only do this because I respect Merlins software, but was troubled by some of the comments on this thread here http://forums.smallnetbuilder.com/showthread.php?t=16741.
The Ars story I was not contacted about, and yes, as Merlin pointed out much of the story overlaps, confusing serval coexisting sec issues and didn't timelines. ASUS was made aware of the anon ftp default about a week after I made my first post in June of 2013. The clear text password and other bugs where fixed by ASUS in July of 2013, though as many know most end users will never actually update their gear. Not ASUS fault, though I believe that a better way to push patches can be developed.
As for the FTP issue, I disagree with Merlin about not being a bug, since no real proper documentation existed to alert people that activation of the FTP service was default to the world. Certainly I can understand his point of the technicalities of bug verus not bug, though CWE exists solely for poor implementation of of service authentication. As for the lack of CVE's, even though there is one, MITRE and I had a very heated disagreement last summer, ad hence stopd issuing me CVE's. That was due to me bypassing MITRE in July and going directly to DHS on the ASUS/WD/Linksys issue. They didn't like being circumvented, but yet do hold CVE's like awards they give to their more liked researchers. I digress, but to this day I can only get a CVE through US CERT. Since they (MITRE) are funded by homeland security, I made sure my displeasure was heard by those in the govt.
I take issue with some of the comments made on the other thread blaming the customers for not knowing how or what to lock down FTP service. While I strongly agree the avg consumer needs to be more knowledgable on what services do what, and they consequences of these services, I am not about to stand in judgment of the very many people who lost a lot by this bug. Anon default FTP is plan inexcusable, and I've made that complaint very clear to the FTC.
No router can ever be 100% secure, though I feel it really is time to stop this non-sense of selling remote management as a good thing, and some router company have the courage to end the silliness to managing routers away from home. Get a secure VPN box for that, because in the end embedded web apps are very hard to lock down, but rather easy to bypass.
Indeed, here is just a small listing of artifacts ASUS left in the AiCloud that are accessible without auth. Yes, they do take a rather high level of skill to exploit, but nevertheless, why are they in there.
(some dupes, some old firmware, some new firmware all AiCloud side)
/smb/css/upload.html
/smb/css/video.html
/smb/js/jplayer/
/smb/js/davclient.js/doc/
/smb/css/audio.html
/smb/tmp/etc/web/hdr.html
/smb/tmp/etc/web/ftr.html
/smb/js/davclient.js/test_client.html
/smb/js/davclient.js/dommer/example.html
/smb/js/davclient.js/dommer/run_tests.html
/smb/js/davclient.js/doc/davclient.html
/smb/js/davclient.js/minisax.js/example.html
/smb/css/makedir.html
/smb/js/davclient.js/test_fs.html
/smb/css/setting.html
/smb/css/rename.html
/smb/css/login.html
/smb/js/davclient.js/minisax.js/
/smb/tmp/etc/web/config.html
/smb/css/upload.html
/smb/css/video.html
/smb/js/jplayer/
/smb/js/davclient.js/doc/
/smb/css/audio.html
/smb/tmp/etc/web/hdr.html
/smb/tmp/etc/web/ftr.html
/smb/tmp/etc/web/config.html
/smb/js/davclient.js/test_client.html
/smb/js/davclient.js/dommer/example.html
/smb/js/davclient.js/dommer/run_tests.html
/smb/js/davclient.js/doc/davclient.html
/smb/js/davclient.js/minisax.js/example.html
/smb/css/sharelink.html
/smb/css/status-401.html
/smb/css/makedir.html
/smb/js/davclient.js/test_fs.html
/smb/css/setting.html
/smb/css/rename.html
/smb/css/login.html
/smb/js/davclient.js/minisax.js/
Not to mention that AiCloud on the older firmware, can be mounted as a WEBDAV share and a huge number of folders had unauth read write access, with trivial ways to execute files. Newer firmware can still be mounted, but they reduced what can be changed or executed. Should be no unauth webdav mounting, period.
Moreover, I've already defeated their Aicloud again using the ?mobile=1 feature, to access local samba shares. They may have fixed it now, don't know.
But back to the FTP thing, yes, they did know back last July and in my opinion they just never considered it a bug. Not until the PCWorld Norway editor approached them, did they lift a finger to fix it. Seems a bit shirtty to show the most concern only when the media is involved. A lot of people lost a lot of personal data, and still over 12k ftp sites still open. Not cool, and those that blamed the end users, I think that was a dick move. Be protective of ASUS fine, but lets call a spade a spade when we see one. None of them deserved what they got, not one.
People can say it's just business, and many of can say that its just as much in our right to call them out on BS when we see it.
