open WRT security hole

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

CrystalLattice

Senior Member

asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!
 

AndreiV

Very Senior Member
asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!


Really ? Looking down the list you cite , all the firmware shown has already been updated .
 

Adamm

Part of the Furniture
asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!

Might want to loosen up that tinfoil hat there, I think its cutting off circulation :rolleyes:
 

RMerlin

Asuswrt-Merlin dev
asuswrt and asuswrt-merlin are basically unusable:

What's your point here? Those security holes are long fixed. And half of them aren't even related to Asuswrt, but to other Asus devices. Your list includes a security issue with their touchpad...

Also, try the same query using Netgear, TP-Link, D-Link, and so on... Then, look at the average severity score of all of these.

You tell me which one is the most "unusable" of the lot.

and doesnt really emphasize security.

I'm the one who tightened file permissions, reduced execution privileges on some daemons like avahi, added OpenVPN support, upgraded to OpenSSL 1.1.1, removed the ability to execute commands over a web page, added SMB 2.0 support, added FTP TLS support. Your statement is incorrect.

EDIT: oh, and I forgot. I added HTTPS support to the webui before Asus did. Also, I disabled SSLv3 support and enforced more secure ciphers before they did.

You're welcome.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Is asus wRT or merlin affected by this?

I refuse to implement automatic firmware upgrade for this specific reason: security.

As for Asus, they have been implementing RSA signing to their firmware updates for quite some time now. They are ahead of OpenWRT in that aspect.
 

RMerlin

Asuswrt-Merlin dev
Take no notice Eric, this guy pops up with his anti ASUS agenda every few months , maybe somebody piddled on his cornflakes this morning.

I know. However I felt it was important to point out the numerous security enhancements I have added to this firmware (many of which are also available in the stock firmware now), in case someone else came to this thread through a Google search.
 

anotherengineer

Regular Contributor
Good stuff. thanks for the feedback guys.
 

AndreiV

Very Senior Member
I know. However I felt it was important to point out the numerous security enhancements I have added to this firmware (many of which are also available in the stock firmware now), in case someone else came to this thread through a Google search.


Over the years you have, bit by bit added a massive amount to the ASUS router.
I know that only too well , having recently retired my AC3200 and replaced it with the AX92U twin pack , I turned them on and was stunned to see the ASUS GUI , it is at least 50% smaller than Merlin.

I had to check twice to be sure there wasn't a problem with the firmware , it made me realise exactly how much work you have done over the last 5 years.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top