is AsusWRT-MERLIN 388.2_2 (dd 7 May 2023) affected by the security issues fixed in 3.0.0.4.386.51665 (dd 18 May 2023)? - RT-AX56U

[BMx]

Does anyone know if AsusWRT-MERLIN 388.2_2 (dd 7 May 2023) is affected by the security issues fixed in 3.0.0.4.386.51665 (dd 18 May 2023)?

Is it better to revert and flash the original Asus Firmware >or< can one keep going on the last-available Merlin Firmware?

*WAN Access is disabled - but running Wireguard and OpenVPN*

"Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, P

 

[AndreiV]

Does anyone know if AsusWRT-MERLIN 388.2_2 (dd 7 May 2023) is affected by the security issues fixed in 3.0.0.4.386.51665 (dd 18 May 2023)?

Is it better to revert and flash the original Asus Firmware >or< can one keep going on the last-available Merlin Firmware?

*WAN Access is disabled - but running Wireguard and OpenVPN*

"Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, P

It pays to read the Changelog. Time to buy a better router :

Asuswrt-Merlin Changelog
========================

3004.388.4 (21-Aug-2023)
- NOTE: In preparation for the new 3.0.0.6 codebase, the version
string will now start with 3004 or 3006 to match with
upstream.

- NOTE: The RT-AX56U is no longer supported, as Asus has put it
on End-of-Life status, and the previous Asuswrt-Merlin
388 releases for that model were all based on untested
code.

 

[BMx]

It pays to read the Changelog. Time to buy a better router :

Duh! Thanks for the super-constructive and helpful reply.

I am well aware what the Changelog reads and that was not my question!

And, perhaps you may be more considerate in future, for people who cannot afford to buy a high-priced router every 2 years, besides the electro-junk being created by such a short life-span. I cannot wait until the EU right-to-repair kicks in and companies like Asus cannot get away with this kind of fraud anymore.

 

[DocUmibozu]

Duh! Thanks for the super-constructive and helpful reply.

It's sad but this forum is slowly becoming a "dunnohowtosolve buy a new Asus router and pray"

 

[bennor]

Does anyone know if AsusWRT-MERLIN 388.2_2 (dd 7 May 2023) is affected by the security issues fixed in 3.0.0.4.386.51665 (dd 18 May 2023)?

You should ping @RMerlin directly.

It typically comes down to which Asus GPL version was used in the Merlin firmware you are asking about and if that Asus GPL has the security vulnerability fixes you seek. Sometimes the Asus-Merlin firmware lags behind the Asus stock firmware due to what Asus releases to RMerlin that is rolled into the Asus-Merlin firmware.

 

[AndreiV]

If you know that router is end of life then you also know it is only fit for use as an access point (or a door stop).
Whatever may have been patched in May won't help when the next raft of bugs and exploits are found and there is zero support.

Yes it is a disgrace that ASUS continue this habit of producing their wares and then dumping them when they are a couple of years old ( or even younger) ,they do it right across the entire product range and they don't care at all.

People are extremely gullible, you only needed one router, then they sell you faster wifi, ooh look it's faster , damn that needs 2 devices to cover the house, now we see people wanting wifi 6 and 7 and they need 5-6-7 devices in this wonderous "mesh" , guess who is getting rich fooling the consumer with this "need" for speed and therefore more tech?

The answer is don't buy consumer routers . Get a mini pc , or something from Mikrotik , Turris, et.al and run Opensense/Pfsense or OpenWrt.
A mini pc running OpenWRT will last for a good few years.

I got sick of the nonsense from ASUS , bought a Turris Omnia and wish I had done so long ago. It just works , zero hassle , no drama.

.... so yes, get a better router .

EU Right to Repair , might cover hardware but firmware too? As it is ASUS may well just ignore what the EU thinks or says, this company is still selling their products to Russia, they ignore sanctions.

 

[RMerlin]

Yes it is a disgrace that ASUS continue this habit of producing their wares and then dumping them when they are a couple of years old ( or even younger) ,they do it right across the entire product range and they don't care at all.

Have you ever looked at the support lifecycle for Netgear, D-Link or TP-Link routers?

How many times have we heard about major security issues (read RCE or backdoor-level of issues) in D-Link routers, and D-Link would publicly say: "Tough luck, we no longer support these.". Meanwhile, I have seen Asus issue security updates for devices that were already EOL, because it was deemed serious enough. The RT-AC87U and RT-AC3200 are two models I remember getting security updates even after they had been officially put on their EOL list.

The RT-AX56U is nearly 4 years old, and it was an entry level AX model. I see $1000 phones and laptops lose support after two to three years. It's simply the reality of modern business there, Asus aren't doing worse than the rest (in fact they are generally doing much better in terms of long term support).

I wouldn't worry too much about the RT-AX58U being EOL, as long you don't expose any of its services to the Internet. Compromising them would have to be done LAN-side, and would typically mean that a LAN device was already compromised, which would be the real issue there.

A mini pc running OpenWRT will last for a good few years.

Will that mini PC still receive BIOS updates after a year when the next microcode-level security issue is discovered in its CPU?

 

[RMerlin]

Sometimes the Asus-Merlin firmware lags behind the Asus stock firmware due to what Asus releases to RMerlin that is rolled into the Asus-Merlin firmware.

And sometimes I'm ahead of Asus, because I am generally faster than them at updating OpenSSL, OpenVPN (Asus are still on 2.4.x BTW) or dnsmasq. There's no clear answer there, as it depends on whether the issue is something within Asus's open code (in which case I occasionally get backport patches from them), Asus's closed code (which requires a GPL update) or within an open source component (in which case it depends if it's something I already updated or not).

That means one would have to review each individual fixes to determine whether or not they apply. I have seen Asus report fixes in features that weren't even used by the router firmware on occasions.

 

[AndreiV]

Have you ever looked at the support lifecycle for Netgear, D-Link or TP-Link routers?

Yes, more consumer junk ................. not that it is relevant, the OP's problem is with an ASUS RT AX-56U .

 

[RMerlin]

not that it is relevant

It is in the sense that you call out Asus as if they were unusually bad there, when in fact they are not.

more consumer junk

Not everyone can afford to pay $400 for a pair of Ubiquiti APs, on top of another $200-$400 for the router itself.

 

[BMx]

You should ping @RMerlin directly.

It typically comes down to which Asus GPL version was used in the Merlin firmware you are asking about and if that Asus GPL has the security vulnerability fixes you seek. Sometimes the Asus-Merlin firmware lags behind the Asus stock firmware due to what Asus releases to RMerlin that is rolled into the Asus-Merlin firmware.

Thanks.

I think it is valid question if the Merlin Firmware is affected - @RMerlin .

These serious security bugs only affected:

1) RT-AC86U - 3.0.0.4.386-51915;

2) RT-AX55 - 3.0.0.4.386-51948

3) RT-AX56U_V2 - 3.0.0.4.386-51948

and Merlin Firmware is based on 388.2.

So my original question - better to downgrade to stock Asus Firmware with 386.xxx branch or stay on Merlin 388.2_2, if it was not affected.

 

[L&LD]

Changelog (current) | Asuswrt-Merlin

asuswrt-merlin.net

Do your homework.

 

[BMx]

@AndreiV EU right-to-repair encompasses Firmware updates for a minimum of 5 years. Otherwise you are no longer allowed to sell your stuff in EU and I think that is a bit much for Asus to loose.

Agreed about OpenWRT - I have an old TP-Link running that, as I got sick of standard Routers. But that unit is aging - will look at your other recommendations as well

 

[AndreiV]

t is in the sense that you call out Asus as if they were unusually bad there, when in fact they are not.

But they are extremely bad in my experience. Motherboards, network cards, wifi cards, Zenphone, 3 different routers , all dumped/end of life/no support within 24 months ....

Not everyone can afford to pay $400 for a pair of Ubiquiti APs, on top of another $200-$400 for the router itself.

No need to buy Ubiquiti , just use the junk ASUS router as an AP.

 

[BMx]

Have you ever looked at the support lifecycle for Netgear, D-Link or TP-Link routers?

How many times have we heard about major security issues (read RCE or backdoor-level of issues) in D-Link routers, and D-Link would publicly say: "Tough luck, we no longer support these.". Meanwhile, I have seen Asus issue security updates for devices that were already EOL, because it was deemed serious enough. The RT-AC87U and RT-AC3200 are two models I remember getting security updates even after they had been officially put on their EOL list.

The RT-AX56U is nearly 4 years old, and it was an entry level AX model. I see $1000 phones and laptops lose support after two to three years. It's simply the reality of modern business there, Asus aren't doing worse than the rest (in fact they are generally doing much better in terms of long term support).

I wouldn't worry too much about the RT-AX58U being EOL, as long you don't expose any of its services to the Internet. Compromising them would have to be done LAN-side, and would typically mean that a LAN device was already compromised, which would be the real issue there.


Will that mini PC still receive BIOS updates after a year when the next microcode-level security issue is discovered in its CPU?

@RMerlin Thanks much.

I changed from years of frustration of TP-Link and D-Link to Asus, as it had a better track-record with Firmware updates and off-course yourself. I was not aware that it is already 4 years old - AX Routers have not been around in my part of the world that long and I only purchased the unit 2 yrs ago. I'll use it as a Gateway for a while and then hope that OpenWRT will eventually support that Hardware.

 

[RMerlin]

@AndreiV EU right-to-repair encompasses Firmware updates for a minimum of 5 years. Otherwise you are no longer allowed to sell your stuff in EU and I think that is a bit much for Asus to loose.

Do you have an actual quote of this rule? Because I can guarantee you that 90% of hardware sold today gets less than five years of firmware updates. The vast majority of laptops and motherboards only get 2 years of BIOS updates, for example.

 

[RMerlin]

and then hope that OpenWRT will eventually support that Hardware.

Doubtful, as OpenWRT cannot support any Broadcom device due to the lack of open source drivers. At best it might allow to support it was a wired-only router.

 

[RMerlin]

Motherboards, network cards, wifi cards, Zenphone, 3 different routers , all dumped/end of life/no support within 24 months ....

Name me these three Asus routers that were EOL within 24 months.

 

[BMx]

Do you have an actual quote of this rule? Because I can guarantee you that 90% of hardware sold today gets less than five years of firmware updates. The vast majority of laptops and motherboards only get 2 years of BIOS updates, for example.

@RMerlin Have you got a translator?
https://www.heise.de/hintergrund/Wa...die-Smartphone-Reperatur-bringen-9207754.html .

If you are interested in such subjects, follow @ilumium@eupolicy.social on Mastodon - there was lot's of discussion about that and other pertinent issues.

 

[RMerlin]

@RMerlin Have you got a translator?
https://www.heise.de/hintergrund/Wa...die-Smartphone-Reperatur-bringen-9207754.html .

If you are interested in such subjects, follow @ilumium@eupolicy.social on Mastodon - there was lot's of discussion about that and other pertinent issues.

The article specifically talks about phones and tablets however, they don`t mention other devices that also contain a firmware, like a smart TV or a router.