Merlin Firmware and CVE\Security Patches

[TikingAlien007]

Hi,

I need some information about how Security (CVEs) are handled in the Merlin firmware. There is a security advisory from around two weeks ago that ASUS have released to the public saying to patch the routers to the latest version of their original firmware. I have checked the details log for my router and some of them are included in the official ASUSWRT firmware like CVE-2023-28702 and CVE-2023-28702 but when I checked the Merlin's Changelog, I couldn't find them.

l also noticed that the latest official ASUSWRT firmware is a few months old but Merlin's one was released a month after but still doesn't have the above listed CVE's that are included in its official firmware from ASUS. I noticed that some features may vary between ASUS's official firmware and the Merlin's one but the said vulnerable components for example like Netatalk are still used by both but there are no fixes for it on the Merlin's firmware going by the changelog ?

Am I missing something here ?
I will appreciate a helping hand here.

 

[AndreiV]

There is a search facility which would have helped you and when you created your thread you should have had a "similar post " notice come up.

Already asked and fully answered here

 

[bennor]

See here:

ASUS urges customers to patch critical router vulnerabilities

“ASUS urges customers to patch critical router vulnerabilities”: https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/ (Was this already posted somewhere?) “The list of impacted devices includes the following models: GT6, GT-AXE16000...

www.snbforums.com

 

[ColinTaylor]

... but when I checked the Merlin's Changelog, I couldn't find them.

Merlin's changelog doesn't normally duplicate the information in the Asus release notes. If Merlin's changelog says "Merged with GPL 388_22525" you can assume that all relevant fixes mentioned in the corresponding (and prior) Asus release notes are included.

 

[Deleted member 84281]

Merlin's changelog doesn't normally duplicate the information in the Asus release notes. If Merlin's changelog says "Merged with GPL 388_22525" you can assume that all relevant fixes mentioned in the corresponding (and prior) Asus release notes are included.

True. So there is a few security patches that are not included in the latest Merlin builds. Using the latest Stock firmware is the only way to be sure. Asus is not giving Merlin GPL code fast enough to catch up. I expect this is Asus plan, not sure.

 

[TikingAlien007]

There is a search facility which would have helped you and when you created your thread you should have had a "similar post " notice come up.

Already asked and fully answered here

It doesn't look like there were any as I was checking that section but nothing showed up, I probably didn't hit the right keywords so they might have not appeared on the list. Ok, I was originally looking for answers about the patched CVE's but after reading other posts across this forum, I'm even more confused now that before I started reading it

True. So there is a few security patches that are not included in the latest Merlin builds. Using the latest Stock firmware is the only way to be sure. Asus is not giving Merlin GPL code fast enough to catch up. I expect this is Asus plan, not sure.

What a pain in the neck this is, I mainly need Merlin firmware to be able to disable FTP Port on the WAN port that can't be disabled with the Asus's official firmware but at the same time I don't fancy skipping any security patches. No middle road here it seems.

Merlin's changelog doesn't normally duplicate the information in the Asus release notes. If Merlin's changelog says "Merged with GPL 388_22525" you can assume that all relevant fixes mentioned in the corresponding (and prior) Asus release notes are included.

Where can I find changelog for 388_22525 ? I presume that since it was merged with 388, the current change log that contains 388.1 (3-Dec-2022) already should have the said fixes ?

 

[Deleted member 84281]

It doesn't look like there were any as I was checking that section but nothing showed up, I probably didn't hit the right keywords so they might have not appeared on the list. Ok, I was originally looking for answers about the patched CVE's but after reading other posts across this forum, I'm even more confused now that before I started reading it

Many people on this forum SNB are way to critical. To the point many have left all together. That said the search function here don't work very well at all. So just ignore the know it all's.

 

[bennor]

As indicated RMerlin has addressed the major CVE's mentioned in the Asus security notice. See his posts here:
https://www.snbforums.com/threads/a...ical-router-vulnerabilities.85553/post-849841
https://www.snbforums.com/threads/a...ical-router-vulnerabilities.85553/post-850214
https://www.snbforums.com/threads/a...ical-router-vulnerabilities.85553/post-852201

Review the Asus-Merlin change logs, as some CVE fixes are mention in them.
Current Change Log: https://www.asuswrt-merlin.net/changelog
Change Log 386.xx: https://www.asuswrt-merlin.net/node/14
Change Log 380.xx: https://www.asuswrt-merlin.net/changelog-380

The Asus-Merlin firmware is compiled from the GPL files Asus provides to RMerlin. It is not uncommon for those GPL files to run a release behind, or weeks to months behind, what Asus themselves publishes on their support website. As indicated in the links above, RMerlin sometimes patches or updates services or modules to fix issues that are left unaddressed or even unpatched by Asus. To find out what Asus themselves have patched, see the release notes for each firmware version Asus publishes for one's router model.