1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Router failing PCI Compliancy due to OpenSSh vulnerability

Discussion in 'Asuswrt-Merlin' started by jadog, Feb 19, 2019.

  1. jadog

    jadog Occasional Visitor

    Joined:
    Dec 20, 2012
    Messages:
    10
    I have been using the Asus-Merlin firmware on a RT-66U router for a number of years. The current firmware is 384.7. The router sits directly behind a modem and all other switches or networking appliances connect directly to the router at our business. Each quarter I am getting a notice from our credit card company that shows the TrustWave PCI scan is failing with the message "OpenSSH Username Enumeration Vulnerability". The recommended step then indicates that I should upgrade to OpenSSH 7.8 or later. I am attaching the PCI report showing the failed scan.

    I have reviewed the configuration on my router and DDNS is NOT enabled and neither is remote wan access (see attached image). Does anybody have a suggestion??
     

    Attached Files:

  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,305
    Location:
    Canada
    Their test is flawed, since Asuswrt-Merlin doesn't even have OpenSSH...
     
    Vexira and martinr like this.
  3. CasualObserver

    CasualObserver New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    2
    Have a look at this as it is likely the Dropbear equivalent to reported CVE-2018-15473 openssh vulnerability:

    CVE-2018-15599
    Name
    CVE-2018-15599
    Description
    The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
     
  4. CasualObserver

    CasualObserver New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    2
    The release below had a fix go in for CVE-2018-15599, would make sure that minimum version you are using is release noted here:

    384.7_2 (21-Oct-2018)
    - FIXED: Namecheap DDNS service not working
    - FIXED: CVE-2018-15599 security issue in Dropbear
    - FIXED: Potential buffer overrun in httpd
     
  5. jadog

    jadog Occasional Visitor

    Joined:
    Dec 20, 2012
    Messages:
    10
    Awesome! Thanks you guys. I'll give that a go and report back.