Menu
What's new
By:
Filters Better Search

Asuswrt-Merlin is NOT vulnerable to any of the new SSLv2 flaws

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

RMerlin

Asuswrt-Merlin dev
Asuswrt-Merlin is not vulnerable to any of the new OpenSSL flaws that target the old SSLv2 protocol, as SSLv2 (and v3) support has been disabled in Asuswrt-Merlin since late 2014:

https://github.com/RMerl/asuswrt-merlin/commit/653dc8c5b0d45c13c41d5402cbd7e89121ad1dd9
https://github.com/RMerl/asuswrt-merlin/commit/5bb4c10519f854396e19e3646fa2d47122d79422

So, no need to panic, just make sure you run a firmware that isn't over 12 months old.

(stickying this for a week or two while the storm rolls)
 
Does the same go for recent Asus stock firmware ?
 
Kal-EL said:
Does the same go for recent Asus stock firmware ?
Click to expand...

I know their https no longer uses SSLv2/v3 either (they merged my mssl library changes at the same time they upgraded to OpenSSL 1.0.2). I don't remember however if their Makefile also explicitly disable it in the openssl library itself. If they don't, then the two potential vectors of attack would be AiCLoud (need to check how they configured lighttpd) and OpenVPN (does OpenVPN even supports SSLv2 at all? I don't know).
 
AiCloud is also safe in stock FW. From write_webdav_conf:

Code: 
  fprintf(fp, "  ssl.use-sslv2=\"disable\"\n");
  fprintf(fp, "  ssl.use-sslv3=\"disable\"\n");
 
What about OpenVPN? It must be very safe....a lots of peoples using it....so, are we safe?

sent from Kodi 17 Krypton
 
bayern1975 said:
What about OpenVPN? It must be very safe....a lots of peoples using it....so, are we safe?

sent from Kodi 17 Krypton
Click to expand...

There's no SSLv2 support _at all_ in Asuswrt-Merlin. It's disabled right in the OpenSSL library itself.
 
And apparently OpenVPN only supports tls 1.0 and up - no support for SSLv2 or SSLv3.
 
Merlin how secure are asus routers or more specific it's source code vs pfsesne firewall for example for someone with knowledge how to hack to get past them. I'm more interested if it's easy for let's say NSA to hack, get into asus router vs pfsense for example. Maybe a silly question but would appreciate expert answer. Thank you in adavnace.
 
Rango said:
Merlin how secure are asus routers or more specific it's source code vs pfsesne firewall for example for someone with knowledge how to hack to get past them. I'm more interested if it's easy for let's say NSA to hack, get into asus router vs pfsense for example. Maybe a silly question but would appreciate expert answer. Thank you in adavnace.
Click to expand...

This is a question that is impossible to answer.

Anyway, the biggest threat to security, most of the time, will be the user. Reading some introductory books on the topics of firewalling & networking might be a good start.


AFAIK, RMerlin uses an Asus RT-AC88U as the primary router in his own house, which might answer part of your question.
 
Nullity said:
This is a question that is impossible to answer.

Anyway, the biggest threat to security, most of the time, will be the user. Reading some introductory books on the topics of firewalling & networking might be a good start.

AFAIK, RMerlin uses an Asus RT-AC88U as the primary router in his own house, which might answer part of your question.
Click to expand...

I would tend to agree - there's no such thing as "perfect" code - and there are bugs in every OS that have been around for years - most of them are unintentional... whether it's this SSLv2 bug, which, while serious, is actually an extension of a very old bug - the glibc scare last week - same thing, it's been there for years...
 
You must log in or register to reply here.

Similar threads

RMerlin
Release Asuswrt-Merlin 388.1 is now available for all supported Wifi 6 models
43 44 45
Replies
885
Views
193K
BliteKnight
BliteKnight
C
[BUG] RT-AX86U 386.4 : current syslog lost when router is rebooted
Replies
1
Views
1K
RMerlin
RMerlin
RMerlin
  • Locked
Beta Asuswrt-Merlin 388.1 Beta is available for select models
44 45 46
Replies
903
Views
190K
RMerlin
RMerlin
D
Brand new to Asuswrt-Merlin. How to get started?
Replies
2
Views
1K
GSpock
G
RMerlin
  • Locked
Beta Asuswrt-Merlin 386.3 beta is now available
19 20 21
Replies
407
Views
88K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
RMerlin Release Asuswrt-Merlin 3004.388.7 is now available Asuswrt-Merlin 83
RMerlin Beta Asuswrt-Merlin 3004.388.7 beta is now available Asuswrt-Merlin 123
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
RMerlin Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models Asuswrt-Merlin 44
RMerlin Beta Asuswrt-Merlin 386.13 beta is now available for AC models Asuswrt-Merlin 32
visortgw asuswrt-merlin.net Website Site Down? Asuswrt-Merlin 18
C Asuswrt-Merlin 3004.388.6 Memory Leak Asuswrt-Merlin 13
RMerlin Release Asuswrt-Merlin 386.12_6 is now available for AC models Asuswrt-Merlin 168
U Where to start with automatic scripting for AsusWRT-Merlin Asuswrt-Merlin 11
L Does the latest AsusWRT/Merlin FW has a memory leak? Asuswrt-Merlin 20

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 964 (members: 25, guests: 939)
Top