[Release] Asuswrt-Merlin 384.11 is available

[RMerlin]

Hi Merlin,

Asus recently released a couple of security updates for the RT-AC87U in May 2019 - Version 3.0.0.4.382.51634

• Fixed DDoS vulnerability.
• - Fixed AiCloud vulnerability. Thanks for Matt Cundari's contribution.
• - Fixed command injection vulnerability. Thanks for S1mba Lu's contribution.
• - Fixed buffer overflow vulnerability. Thanks for Javier Aguinaga's contribution.
• - Fixed CVE-2018-20334
• - Fixed CVE-2018-20336
• - Fixed null pointer issue. Thanks for CodeBreaker of STARLabs’ contribution.
• - Fixed AiCloud buffer overflow vulnerability. Thanks for Resecurity International's contribution.

Would most of these security issues be already fixed in 384.11_2 which I currently use

I don't know since there are no details as to the exact issues that are resolved, so it's possible that some of these might either be already fixed, or not apply to my firmware. However they are certainly included in 384.12, which is based on the latest 384 code (released at the same time as 382_5163x).

 

[RMerlin]

I ran across something when testing DNS over TLS that might be of interest. I had quad9 set as my DNS for TLS. However using a DNS Leak Tester (e.g. http://dnsleak.com/ or https://dnsleaktest.com/ ) I got

• DNS IP: 66.185.124.244
• Hostname: res300.mad.rrdns.pch.net
• ISP: WoodyNet
• Country: United States

(where the 300 could be 100, 200)

As where the DNS queries go to. This initially looked very odd. However it turns out that Quad9 is an anycast DNS, which routes queries to the nearest server. Quad9 uses PCH (Packet Clearing House) to host DNS servers. PCH’s Director is Bill Woodcock aka Woody. So in summary, odd but okay...

pch.net = Quad9.

 

[mulkman]

error

 

[JohnSmith]

RT-AX88U with V384.11_2 Final has been up for over 23 days straight, and still running strong, with over 30 devices attached, downloads, streaming, etc., all working as expected.

Thanks RMerlin!!

 

[Ditch]

Which VPN server/client?

Have you checked that the RPDB rule and iptables nat rule are still in place?

ip rule

iptables --line -t nat -nvL POSTROUTING

Both OVPN
this is the output

@RT-AC86U-8DB8:/tmp/home/root# ip rule

0:    from all lookup local

10001:    from 192.168.1.116 lookup main

10002:    from 192.168.1.250 lookup main

10003:    from 192.168.1.248 lookup main

10004:    from 192.168.1.126 lookup main

10005:    from 192.168.1.35 lookup main

10006:    from 192.168.1.179 lookup main

10007:    from 192.168.1.232 lookup main

10008:    from 192.168.1.194 lookup main

10009:    from 192.168.1.181 lookup main

10010:    from 192.168.1.176 lookup main

10101:    from 192.168.1.0/24 lookup ovpnc1

10102:    from 10.8.0.0/24 lookup ovpnc1

32766:    from all lookup main

32767:    from all lookup default

@RT-AC86U-8DB8:/tmp/home/root# iptables --line -t nat -nvL POSTROUTING

Chain POSTROUTING (policy ACCEPT 97964 packets, 7449K bytes)

num   pkts bytes target     prot opt in     out     source               destination        

1    97921 9617K MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0          

2        4   256 MASQUERADE  all  --  *      tun1+   10.8.0.0/24          0.0.0.0/0          

3        0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0            policy match dir out pol ipsec

4    58901 3848K PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          

5    53352 3460K MASQUERADE  all  --  *      ppp0   !213.xx.xx.xx        0.0.0.0/0          

6        0     0 MASQUERADE  all  --  *      eth0   !192.168.0.2          0.0.0.0/0          

7     2803  366K MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24