ASUS RT-N66U Firmware version 3.0.0.4.374.5517

[wouterv]

Version 3.0.0.4.374.5517
2014.04.16

Security related issues:
1. Fixed remote command execution vulnerability.
2. Fixed cross site scripting vulnerability.
3. Fixed parameters buffer overflow vulnerability.
4. Fixed XSS(Cross Site Scripting) vulnerability.
5. Fixed CSRF(Cross Site Request Forgery) vulnerability.
6. Added auto logout function. The timeout time can be configured in - Administration--> System.
7. Included patches related to network map. Thanks for Merlin's contribution.
8. Fixed password disclosure in source code when administrator logged in.
9. Changed OpenSSL Library from 1.0.0.b to 1.0.0.d. Both OpenSSL versions are not vulnerable to heartbleed bug.

Others:
1. Fixed IPTV related issues.
2. Modified the 3G/LTE dongle setting process in quick internet setup wizard.
3. Fixed the Cloud sync problem.
4. Fixed Parental control check box UI issues.
5. Modified the FTP/ Samba permission setting UI.
6. Modified media server setting UI.
7.Samba/ media server/ iTunes server name can be changed.
8. Dual wan fail over now support fail back.
9. Fixed wake on lan magic packet sending issue.
10. Fixed false alarm for samba and ftp permission.
11. Fixed IPv6 related issues.

Special thanks for David and Palula’s research.
CVE-2014-2719 http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html
Remote command execution http://seclists.org/fulldisclosure/2014/Apr/58
Reflected XSS: http://seclists.org/fulldisclosure/2014/Apr/59

 

[wouterv]

The upgrade from version 4561 to 5517 went smooth.
No hard reset or factory defaults required.
I anyhow reverted to factory defaults and configured everything manual again.
Sofar so good, looking at the release note with the many security fixes this seems to be a mandatory upgrade.

USB application - Servers center > Network Place(Samba) Share / Cloud Disk and Miscellaneous setting are now combined in one page.

 

[flowrider]

I updated to this from Merlin yesterday to try out. It has OpenVPN! I tried to create a tunnel to my VPN provider (PIA) and it would connect but no internet access. Strange because it worked fine in Merlin (though a bit slow).

 

[ronny]

I can't connect to PIA with the standard firmware of RT-AC68U or R using Open VPN either... Merlins firmware works great with Open VPN! PPTP and L2TP works great on the standard firmware but not Open VPN with standard firmware, at least not for me... But could be doing something wrong...

 

[flowrider]

I can't connect to PIA with the standard firmware of RT-AC68U or R using Open VPN either... Merlins firmware works great with Open VPN! PPTP and L2TP works great on the standard firmware but not Open VPN with standard firmware, at least not for me... But could be doing something wrong...

I find the same thing. Can't connect to home whatsoever. I must be missing something but it makes me feel dumb! Will try Tomato next.

 

[msb]

Advanced Settings > Firewall > IPv6 Firewall > Famous Server List (Dropdown Menu)

Is this a new configuration option? What does it do?

 

[rick155]

The upgrade from version 4561 to 5517 went smooth.
No hard reset or factory defaults required.
I anyhow reverted to factory defaults and configured everything manual again.
Sofar so good, looking at the release note with the many security fixes this seems to be a mandatory upgrade.

USB application - Servers center > Network Place(Samba) Share / Cloud Disk and Miscellaneous setting are now combined in one page.

Can I ask you how to understand whether factory reset is needed after an upgrade ?

 

[DavidEBSmith]

I'm seeing a bug in the System > Administration tab. It shows the router password as blank and "Very Weak" even after I enter a long password, hit Apply, log out and in (using the long password), reboot the router etc. If I toggle "Show password" enough times, it fills in the Password box with the router login name and part of the password.

 

[sm00thpapa]

Same issue with the password here on my RT-N66W.


Sent from my iPad using Tapatalk

 

[wouterv]

Advanced Settings > Firewall > IPv6 Firewall > Famous Server List (Dropdown Menu)

Is this a new configuration option? What does it do?

It is there since the introduction of the IPv6 firewall.
It helps you to to create firewall rules.

 

[wouterv]

Can I ask you how to understand whether factory reset is needed after an upgrade ?

The firmware release notes should tell you if a hard reset and manual re-configure is required, usually after a major driver upgrade inside the firmware, it also depend how old the firmware is you are upgrading to the latest and greatest.
An upgrade from 4561 to 5517 does not require a hard reset.
E.g. an upgrade from 270 to 5517 does require a hard reset and manual re-configure.
Anyway a fresh start never hurts

 

[wouterv]

I'm seeing a bug in the System > Administration tab. It shows the router password as blank and "Very Weak" even after I enter a long password, hit Apply, log out and in (using the long password), reboot the router etc. If I toggle "Show password" enough times, it fills in the Password box with the router login name and part of the password.

That is a bug in a security fix.

The fix is that the code of the configuration page no longer contains your Username and Password in clear texst, see:
http://dnlongen.blogspot.nl/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html

The bug is that the strenght checker and show password function are somewhat broken because they can no longer find your Username and Password in the page code.
The checker does work at the moment you type in a new password.

 

[KevTech]

I updated to this from Merlin yesterday to try out. It has OpenVPN! I tried to create a tunnel to my VPN provider (PIA) and it would connect but no internet access. Strange because it worked fine in Merlin (though a bit slow).

I don't see any openvpn in the GUI in this release.

If going from merlin to stock you need to reset to defaults or you may have bits from merlins left over that are not in the stock firmware.

 

[sm00thpapa]

.4561 to .5517 needed a factory re-set for me to get rid of the exclamation point in the top right of GUI. Anyone else have this issue?

 

[sm00thpapa]

That is a bug in a security fix.

The fix is that the code of the configuration page no longer contains your Username and Password in clear texst, see:
http://dnlongen.blogspot.nl/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html

The bug is that the strength checker and show password function are somewhat broken because they can no longer find your Username and Password in the page code.
The checker does work at the moment you type in a new password.

Nice find thank you.

 

[sm00thpapa]

Just tested it and it don't work. After 30 minutes it did not log me out and my user name and password were clearly visible.

 

[wouterv]

I don't see any openvpn in the GUI in this release.

If going from merlin to stock you need to reset to defaults or you may have bits from merlins left over that are not in the stock firmware.

VPN is under Advanced Settings>VPN
According to Merlin, stock VPN is since the pervious version identical to his (Open)VPN version.

 

[wouterv]

Just tested it and it don't work. After 30 minutes it did not log me out and my user name and password were clearly visible.

The username is indeed visable, which is not a big deal.
If I open the Administration>System page, the password field is blank, the strenght is "very weak" and the tick box "show password" does not have any effect.
If I enter a new password, it shows either *** or clear text, depending of the check box, and the strenghth checker works.

Out of curiosity and to check if that did the trick for me: did you revert to factory defaults and re-configure manual?

The logout timer is running now...

[EDIT]
Exactly after the default 30 minutes, without touching the configuration page, a "You are not logged in" screen appeared with the login dialog.
After login, it did not automatically revert to the previous page.
This test was done with Firefox 28.0.

 

[rick155]

The firmware release notes should tell you if a hard reset and manual re-configure is required, usually after a major driver upgrade inside the firmware, it also depend how old the firmware is you are upgrading to the latest and greatest.
An upgrade from 4561 to 5517 does not require a hard reset.
E.g. an upgrade from 270 to 5517 does require a hard reset and manual re-configure.
Anyway a fresh start never hurts

Thanks, I never noticed it.

Just as a confirmation, I can see only firmware 720 indicates the need for hard reset

http://support.asus.com/download.as...N66U (VER.B1)&os=30&hashedid=PZkFHlMrGWzVROxT

ASUS RT-N66U Firmware Version 3.0.0.4.374.720
This version add many new features, please press the reset button more than 5 seconds to reset the RT-N66U after firmware upgraded to prevent unexpected problem.

I jumped from 4422 to 5517, without passing by 4561, that means hard reset is not needed, is it correct ?

Of course it wouldn't hurt, but just to get an idea

 

[wouterv]

Thanks, I never noticed it.

Just as a confirmation, I can see only firmware 720 indicates the need for hard reset

http://support.asus.com/download.as...N66U (VER.B1)&os=30&hashedid=PZkFHlMrGWzVROxT



I jumped from 4422 to 5517, without passing by 4561, that means hard reset is not needed, is it correct ?

Of course it wouldn't hurt, but just to get an idea

My previous "factory defaults" was indeed after the upgrade to 720.
from 720 to 979 to 2239 to 4422 to 4561 and initially to 5517 was all without reverting to factory defaults, just upgrade over the previous older version.