ASUS RT-AX88U - externally-controlled format string - security vulnerability

[PunchCardBoss]

TWCERT/CC reporting a serious RT-AX88U Vulnerability. From the looks of things, it appears the vulnerability is related to OpenVPN.
Source: https://www.twcert.org.tw/tw/lp-132-1-1-60.html

 

[L&LD]

Yes, the RT-AX88U is 'old'. The older the more time to hack it.

This is one reason why having the latest hardware (if/when possible) is actually a safety/security bonus. With the older routers, sure, a fix may (or may not) be released. With a newer model, it will be (and hopefully in a timely manner).

Sadly, I wouldn't expect this from a 2017 model, today. But Asus seems to be the only manufacturer that actually goes above and beyond any others with regards to this type of support, even for their older models.

 

[drabisan]

That's a really new one, not documented by all means as of now.
What's interesting is targeting AX88U using the latest firmware. But it mention OpenVPN and AFAIK Asus is using the same OpenVPN release across different platforms on the same software track.
So if it's confirmed, it will definitely be bigger than AX88U.

I partially agree with L&LD point - a newer hardware tends to get newer software for longer. But that's not a bullet proof statement if we look at how many releases AC68U got - likely more than any other model (if not several models combined).

As long as AX88U is not end of life just keep upgrading. Every now and then s..t hits the fan and you get a major bug. But considering fairly limited Asus' dependency on a handful of chipsets, I fail to see a not-end of life model at any higher risk than other. It may get upgrades slower (read ROG routers that are lagging most times), but that's the best we can do. Yeap, keeping track on CVE as they are published with details makes sense, but most of us are unable to read those. But for ex if you're using OpenVPN and there's a bug in that code...makes sense to turn off that feature temporarily until the upgrade is published.

 

[ColinTaylor]

TWCERT/CC reporting a serious RT-AX88U Vulnerability. From the looks of things, it appears the vulnerability is related to OpenVPN.
Source: https://www.twcert.org.tw/tw/lp-132-1-1-60.html

How about actually translating and reading it? It says it was fixed in the July (3.0.0.4_388_23748) firmware update.

So much for the doom-mongers saying it won't receive a timely fix.

 

[L&LD]

So much for the doom-mongers saying it won't receive a timely fix.

You need to read the whole post before jumping to your presumptions.

 

[Ripshod]

Am I missing something, or isn't this already fixed? 23748 everyone, stop flappin

 

[Tech9]

makes sense to turn off that feature temporarily until the upgrade is published.

Fixed already, just update the firmware.

RT-AX88U｜WiFi Routers｜ASUS Canada

ASUS gaming routers provide the very best gaming experience, with an arsenal of features and tools designed to improve online gaming performance and give you the competitive edge you need to win.

www.asus.com

Am I missing something

You know Chinese. I used this:

 

[Ripshod]

You know Chinese. I used this:

I know no Chinese, I used the same feature in chrome

 

[Ripshod]

Wow, that firmware was released July 26th. Can't find any mention of the CVE in this or the previous release.

 

[Tech9]

They don't list everything fixed in changelog. They never list whatever was broken in the process as well.