1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

open WRT security hole

Discussion in 'Asuswrt-Merlin' started by anotherengineer, Apr 1, 2020.

  1. anotherengineer

    anotherengineer Occasional Visitor

    Joined:
    Mar 29, 2014
    Messages:
    42
    Location:
    Northern Ontario Canada
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,663
    Location:
    UK
    No. Asuswrt/Merlin is not OpenWRT.

    EDIT: See post #7.
     
    Last edited: Apr 1, 2020
  3. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    195
    asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

    as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

    20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!
     
  4. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    1,143

    Really ? Looking down the list you cite , all the firmware shown has already been updated .
     
    Zastoff likes this.
  5. Adamm

    Adamm Part of the Furniture

    Joined:
    Mar 26, 2013
    Messages:
    2,795
    Might want to loosen up that tinfoil hat there, I think its cutting off circulation :rolleyes:
     
    jerry6, a5m, Zastoff and 2 others like this.
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,985
    Location:
    Canada
    What's your point here? Those security holes are long fixed. And half of them aren't even related to Asuswrt, but to other Asus devices. Your list includes a security issue with their touchpad...

    Also, try the same query using Netgear, TP-Link, D-Link, and so on... Then, look at the average severity score of all of these.

    You tell me which one is the most "unusable" of the lot.

    I'm the one who tightened file permissions, reduced execution privileges on some daemons like avahi, added OpenVPN support, upgraded to OpenSSL 1.1.1, removed the ability to execute commands over a web page, added SMB 2.0 support, added FTP TLS support. Your statement is incorrect.

    EDIT: oh, and I forgot. I added HTTPS support to the webui before Asus did. Also, I disabled SSLv3 support and enforced more secure ciphers before they did.

    You're welcome.
     
    Last edited: Apr 1, 2020
    avtella, zero7404, Maat236 and 14 others like this.
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,985
    Location:
    Canada
    I refuse to implement automatic firmware upgrade for this specific reason: security.

    As for Asus, they have been implementing RSA signing to their firmware updates for quite some time now. They are ahead of OpenWRT in that aspect.
     
    PeterR, Maat236, jerry6 and 7 others like this.
  8. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    1,143
    Take no notice Eric, this guy pops up with his anti ASUS agenda every few months , maybe somebody piddled on his cornflakes this morning.
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,985
    Location:
    Canada
    I know. However I felt it was important to point out the numerous security enhancements I have added to this firmware (many of which are also available in the stock firmware now), in case someone else came to this thread through a Google search.
     
    Maat236, oso2276, a5m and 7 others like this.
  10. anotherengineer

    anotherengineer Occasional Visitor

    Joined:
    Mar 29, 2014
    Messages:
    42
    Location:
    Northern Ontario Canada
    Good stuff. thanks for the feedback guys.
     
  11. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    1,143

    Over the years you have, bit by bit added a massive amount to the ASUS router.
    I know that only too well , having recently retired my AC3200 and replaced it with the AX92U twin pack , I turned them on and was stunned to see the ASUS GUI , it is at least 50% smaller than Merlin.

    I had to check twice to be sure there wasn't a problem with the firmware , it made me realise exactly how much work you have done over the last 5 years.
     
    Last edited: Apr 2, 2020
    PeterR, Maat236, jerry6 and 2 others like this.