CVE-2016-3116 - Dropbear SSH xauth injection

[IngoPan]

Hi,


I today read a security advise regarding dropbear. My AsusWRMerlin runs dropbear v2014.66.
Is this a problem for us?

http://seclists.org/fulldisclosure/...al&utm_source=twitter.com&utm_campaign=buffer

 

[RMerlin]

Vulnerable, but not a problem. You need to be authenticated to exploit this, which means you need to have the router's admin password anyway, since it's the only SSH user.

There's also no xauth command on the firmware.