What's new

open WRT security hole

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!
 
asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!


Really ? Looking down the list you cite , all the firmware shown has already been updated .
 
asuswrt and asuswrt-merlin are basically unusable: https://www.cvedetails.com/vulnerab...&sha=1246a655228426974d68bcfe7fe98d09ed0e10ca

as documented by merlin to me on this blog, he just gets the BLOB from Asus, then does his minor tweaks, and doesnt really emphasize security.

20 openwrt developers have mitigated the above issue in the last 3 firmware upgrades, and are working on using https to deliver upgrades. no attacks reported. i'm sure colin taylor will have a politically motivated response to the facts!

Might want to loosen up that tinfoil hat there, I think its cutting off circulation :rolleyes:
 
asuswrt and asuswrt-merlin are basically unusable:

What's your point here? Those security holes are long fixed. And half of them aren't even related to Asuswrt, but to other Asus devices. Your list includes a security issue with their touchpad...

Also, try the same query using Netgear, TP-Link, D-Link, and so on... Then, look at the average severity score of all of these.

You tell me which one is the most "unusable" of the lot.

and doesnt really emphasize security.

I'm the one who tightened file permissions, reduced execution privileges on some daemons like avahi, added OpenVPN support, upgraded to OpenSSL 1.1.1, removed the ability to execute commands over a web page, added SMB 2.0 support, added FTP TLS support. Your statement is incorrect.

EDIT: oh, and I forgot. I added HTTPS support to the webui before Asus did. Also, I disabled SSLv3 support and enforced more secure ciphers before they did.

You're welcome.
 
Last edited:
Is asus wRT or merlin affected by this?

I refuse to implement automatic firmware upgrade for this specific reason: security.

As for Asus, they have been implementing RSA signing to their firmware updates for quite some time now. They are ahead of OpenWRT in that aspect.
 
Take no notice Eric, this guy pops up with his anti ASUS agenda every few months , maybe somebody piddled on his cornflakes this morning.

I know. However I felt it was important to point out the numerous security enhancements I have added to this firmware (many of which are also available in the stock firmware now), in case someone else came to this thread through a Google search.
 
Good stuff. thanks for the feedback guys.
 
I know. However I felt it was important to point out the numerous security enhancements I have added to this firmware (many of which are also available in the stock firmware now), in case someone else came to this thread through a Google search.


Over the years you have, bit by bit added a massive amount to the ASUS router.
I know that only too well , having recently retired my AC3200 and replaced it with the AX92U twin pack , I turned them on and was stunned to see the ASUS GUI , it is at least 50% smaller than Merlin.

I had to check twice to be sure there wasn't a problem with the firmware , it made me realise exactly how much work you have done over the last 5 years.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top