Are Asus routers running ASUSWRT-Merlin affected by NAT Slipstreaming? Mitigations?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

ADFHogan

Regular Contributor
I posted here previously about this - and it seems my post was interpreted as "general security" and then shifted off into another forum.

I've made this post more specific.


... do we know if Asus routers running Merlin are vulnerable to this?
... if so, what mitigations can we deploy?

For now, I've turned off the ALGs that I'm not using to try and reduce the attack surface.
 

ColinTaylor

Part of the Furniture
The author identified the following ALGs as potential candidates: sane (backup), sip (voip), pptp (vpn), and h323 (voip). He chose to concentrate on SIP as that seemed the most promising.

All four three of the relevant ALGs can be disabled on Asus routers in the NAT Passthrough options.
 
Last edited:

itpp20

Regular Contributor
Being more specific would help, 'all 4' does not list the 6 options or each impact of switching them off.

Capture.PNG
 

ColinTaylor

Part of the Furniture
Being more specific would help, 'all 4' does not list the 6 options or each impact of switching them off.
Sorry, I should have said "all 3" as "sane" is not a router option. So all 3 are sip, pptp, and h323.
 

itpp20

Regular Contributor
Ok so lets discuss mitigation(s), (what effects to expect or not)

Capture.PNG


SIP and H.323 are not going to impact VOIP (at least not on my end, tested).
If anyone else can test this we can exclude side effects.

PPTP: this may effect old style (and obsolete) VPN's.
 

ColinTaylor

Part of the Furniture
Do bear in mind that he only investigated SIP. He never looked at PPTP or H.323.
 

itpp20

Regular Contributor
If its not going to affect services and it offers a potential risk (ALG) it should be off.
 

ADFHogan

Regular Contributor
What about FTP in Merlin?
1604874146234.png

Presumably FTP ALG is only required if PASV FTP not in use? Is it possible to turn off FTP one? Who still uses FTP these days?
 

itpp20

Regular Contributor
Nearly all IP cams use ftp and if they support smb it's mostly smbv1.

If ftp is off (under usb devices) is this port still listening? even if ftp is on, could we internally firewall this port(and does ftp still work)?

Also note the text at the top "...connection to pass through the router to the network clients", as I read this I am assuming the ftp server on the router is not a client, a ftp server running on a LAN device (desktop/laptop/nas) would be a valid client.
 

Jeffrey Young

Senior Member
What about FTP in Merlin?
View attachment 27531
Presumably FTP ALG is only required if PASV FTP not in use? Is it possible to turn off FTP one? Who still uses FTP these days?

@ColinTaylor actually gave a solution to this a week or so ago. I hate using this site's search feature, so here was the solution posted.

In the firewall-start script (assuming you are using Merlin), add the following;

Code:
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp

Cheers
 

mike37

Regular Contributor
F
@ColinTaylor actually gave a solution to this a week or so ago. I hate using this site's search feature, so here was the solution posted.

In the firewall-start script (assuming you are using Merlin), add the following;

Code:
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp

Cheers

FWIW I had to use "modprobe -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!
 
Last edited:

Jeffrey Young

Senior Member
F


FWIW I had to use "modprob -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!

Thanks for letting me know. I have the 86U, which is a vr 4.x kernal. THe 68U is a vr 2.x kernal. Added to my notes on the subject as I have a 68U as play/test router
 

Wallace_n_Gromit

Senior Member
Ok so lets discuss mitigation(s), (what effects to expect or not)

View attachment 27528

SIP and H.323 are not going to impact VOIP (at least not on my end, tested).
If anyone else can test this we can exclude side effects.

PPTP: this may effect old style (and obsolete) VPN's.
I was listening to NPR on my Amazon Echo when I disabled [PPTP], [H.323], and[ SIP]. I lost the National Public Radio stream on my Echo. After reenabling [H.323], the stream on my Echo device returned to normal.

ADDITIONAL NOTE: I then decided to disable [L2TP Passthrough], [IPSec Passthrough], and [RTSP Passthrough]. Disabling [RTSP Passthrough] ALSO caused my Amazon Echo to lose the National Public Radio stream I was listening to.

To mitigate this issue better, would you allow just [Enabled] or [Enabled + NAT helper]?
 
Last edited:

Wallace_n_Gromit

Senior Member
F


FWIW I had to use "modprob -r"; don't have rmmod on my AC-68u.

Thanks to ADFHog and all others on this short thread!!
I also have the RT-AC68U. What would the full entry look like when you add it to firewall-start? i.e. instead of:
(2 lines)
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp
Do:
(1 line)
modprob -r
 

ColinTaylor

Part of the Furniture
I also have the RT-AC68U. What would the full entry look like when you add it to firewall-start? i.e. instead of:
(2 lines)
rmmod nf_nat_ftp
rmmod nf_conntrack_ftp
Do:
(1 line)
modprob -r
It's modprobe not modprob. I use rmmod out of habit even though modprobe -r is meant to be better. Either should have worked though. As always, test them from the command line before implementing a script.
 

mike37

Regular Contributor
I used two lines. Added them after existing items in firewall-start:
modprobe -r nf_nat_ftp
modprobe -r nf_contrack_ftp

NOTE: check spellings. my earlier post lost the "e" at the end of modprobe
 

Wallace_n_Gromit

Senior Member
I used two lines. Added them after existing items in firewall-start:
modprobe -r nf_nat_ftp
modprobe -r nf_contrack_ftp

NOTE: check spellings. my earlier post lost the "e" at the end of modprobe

just entering the commands at the prompt yielded this:

ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
[email protected]:/tmp/home/root# modprobe -r nf_nat_ftp
[email protected]:/tmp/home/root# modprobe -r nf_contrack_ftp
modprobe: module nf_contrack_ftp not found in modules.dep
[email protected]:/tmp/home/root#

that second command line didn't work for my RT-AC68U.

EDIT: after reviewing the prior Thread posts I realized there was a speeling eeror :oops: on contrack (which should be conntrack which now worked)
 

pirx73

Senior Member
FWIW I had to use "modprobe -r"; don't have rmmod on my AC-68u.
I do have rmmod on my AC-68U. Most likely installed by Entware.
 

itpp20

Regular Contributor
To mitigate this issue better, would you allow just [Enabled] or [Enabled + NAT helper]?
A nice article to read up on ALG:

As far as I can find the 'helper' module is something needed around 2008 but as far as I understand the implementation is partly the reason why ALG in its core is flawed enabling slipstream hacks.
Ymmv.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top