1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-68U (Firmw 384.8.2) Vulnerabilities revealed by zANTI

Discussion in 'Asuswrt-Merlin' started by brumac, Jan 11, 2019.

  1. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    Good morning, I am not an expert and need help.
    Yesterday I tested the vulnerabilities of my RT-68U (Firmware Asuswrt-Merlin 384.8.2) with zANTI.
    Result:
    Vulnerabilities (3):
    smb-vuln-cve2009-3103,
    http-slowloris-check, http-method-tamper
    Do I have to change the configuration?
    What should I do?
    Greetings to everyone!
    PS Google translator
     
  2. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom
    For starters, run the Router Security Assessment on the AIProtection page.

    Did you look up the CVE on Google?

    Have you got SAMBA share enabled under USB Application?
     
    Last edited: Jan 11, 2019
  3. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    I looked for CVE on Google. I did not understand anything. I apologize for my ignorance.
    In AIProtection page Enabled AiProtection is OFF! Router Security Assessment gives me 3 Risk:
    Malicious Website Blocking enabled
    No
    Vulnerability Protection enabled -
    No
    Infected Device Prevention and Blocking
    No
    Better to activate everything? Can I trust Trend Micro?
    Thanks a lot for the answer!
    Bruno
     
  4. Zonkd

    Zonkd Senior Member

    Joined:
    Oct 19, 2014
    Messages:
    389
    It’s optional. It will ask you to read and accept the EULA before AiProtect features are enabled. Read it well before deciding. The router will send a significant amount of data, including all of your web browsing, to TrendMicro (which is a reputable well known AV company).

    Merlin trusts them enough to use AiProtect. Personally I don’t and evidence shows they’ve been negligent in the recent past. In September of 2018 a lot of their software was removed from the Apple Mac App Store because it was literally Chinese Spyware. They outsource product development and don’t bother to check if it’s safe. Shame on Apple too for letting it into their App Store. Read up on it.

    Besides that opting into aggressive network-level data collection seems like a bad idea.
     
    SMS786 likes this.
  5. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom
    I didn’t realise you had to enable AIProtection to run the security scan. So you could turn it on, run the scan and then turn it off if you wanted. But I’ve run all the AIProtection modules for several years without any qualms. And I remember a few years back that Merlin said he had run (or runs) most if not all the modules without hesitation. What’s good enough for Merlin is more than good enough for me.
     
  6. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom
    My memory isn’t quite up to speed: Merlin wrote, “I don't use the Infected Device detection. I only use the Vulnerability Protection feature.”. Nevertheless, I’m fairly certain that, in other posts over the years, Merlin has said words to the effect of his trusting AIProtection or certainly not distrusting it.

    Anyway, have a look on the forum and see what the consensus is eg:

    https://www.google.com/search?q=asu...HM-wKHTpgDqUQrQIoBDAAegQIBBAJ&biw=320&bih=548
     
    Last edited: Jan 11, 2019
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,336
    Location:
    Canada
    Considering cve2009-3103 specifically targets Windows, I doubt your scanning software is doing a good job at determining real issues there, as your router is using Samba, a completely different daemon. This is a false positive.
     
  8. Dave Parker

    Dave Parker Regular Contributor

    Joined:
    Apr 22, 2015
    Messages:
    181
    Location:
    Marmaduke Ar.
    I've been using Merlins firmware for several years, first on the N66U, then the AC68U, now on the AC86U. I have AIProtection enabled, SAMBA share enabled and guest login enabled. It's the only way I can access the Toshiba portable hard drive connected to the router. Nothing on it but backups. I'm still working on that. Mostly a learning thing. I trust Merlins firmware and haven't had any problems with it. We live out in the sticks, closest neighbor is 1/4 mile away. I'm nobody from nowhere Arkansas. If the Chinese or anybody else wants to know that I shop at Amazon, and Wal-Mart, that I am a SNB forum member, a HowToGeek and Windows10 forum subscriber so be it. Who cares. A terrible waste of there time and resources.
     
  9. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    I'm curious about it. I also trust the Merlin Firmware and I do not even have to hide.
    Thinking about vulnerabilities, they are perhaps false positives because I have not said one important thing:
    I have configured on my rt-68u VPN client (NordVPN) and also OpenVPN server (to communicate with my home network remotely)
    Perhaps it is the VPN that opens some protocols that then turn out to be false positives:
    Sorry for my ignorance on the subject and for my English!
     
  10. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    443 tcp open https syn-ack

    http-method-tamper VULNERABLE:
    Authentication bypass by HTTP verb tampering
    State: VULNERABLE (Exploitable)
    This web server contains password protected resources vulnerable to authentication bypass
    vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
    common HTTP methods and in misconfigured .htaccess files.

    Extra information:

    URIs suspected to be vulnerable to HTTP verb tampering:
    / [HEAD]

    References:
    http://capec.mitre.org/data/definitions/274.html
    http://www.imperva.com/resources/glossary/http_verb_tampering.html
    https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)
    http://www.mkit.com.ar/labs/htexploit/
    How to solve vulnerabilities?
     
  11. David Arnstein

    David Arnstein Regular Contributor

    Joined:
    Mar 19, 2015
    Messages:
    53
    Configure your router to allow HTTP access only through the local area network.
     
  12. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    How do I configure the RT68U router (Asuswrt-Merlin firmware) to allow HTTP access only through the local network? I do not know where to change this setting.
    Thank you!
     
  13. David Arnstein

    David Arnstein Regular Contributor

    Joined:
    Mar 19, 2015
    Messages:
    53
    On my RT-AC68U, the setting is
    Advanced Settings | Administration | System | Enable Web Access from WAN
    It is located at the very bottom of the System page.
     
  14. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    Now I checked: Remote Access Config:
    Enable Web Access from WAN: No
    Firmware bug or depends on the OpenVPN (NordVPN) configuration on TCP port 443?!
     
  15. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom
    That is the default setting (and must not be changed (if the router is the edge router)).
     
    Last edited: Jan 24, 2019
  16. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    OK! I was referring to (Firmware bug or depends on the OpenVPN (NordVPN) configuration on TCP port 443?!) :
    443 tcp open https syn-ack
    http-method-tamper VULNERABLE:
    Authentication bypass by HTTP verb tampering
    State: VULNERABLE (Exploitable)
    This web server contains password protected resources vulnerable to authentication bypass
    vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
    common HTTP methods and misconfigured .htaccess files.
    Do you recommend installing Skynet (firewall)?
     
    Last edited: Jan 24, 2019
  17. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom

    I can’t help you with the bulk of your post, as for the last sentence, Skynet has a lot of very satisfied customers. Read here, both the question and the answer: it will give you a quick insight. https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/page-194#post-459552


    Where did the vulnerability assessment in your post come from?
     
  18. brumac

    brumac New Around Here

    Joined:
    Jan 11, 2019
    Messages:
    8
    I tested the vulnerabilities of my RT-68U (Firmware Asuswrt-Merlin 384.8.2) with zANTI:
    443 tcp open https syn-ack
    http-method-tamper VULNERABLE:
    Authentication bypass by HTTP verb tampering
    State: VULNERABLE (Exploitable)
    So to install Skynet I have to format a USB pen drive in ext4 and then where do I download Skynet and how do I install it?
    Thanks!
     
    Last edited: Jan 24, 2019
  19. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,600
    Location:
    United Kingdom
    brumac likes this.