RT-AC88U Remote code execution fix

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Morac

Senior Member
I’m running Merlin 384.19 on a RT-AC88U. I’m not sure what version of the GPL is being used on that, but I’m pretty certain it doesn’t include the changes from the 385.20631 ASUS firmware as that was released the same day and the GPL code wasn’t released until September 28th.


According to the release notes for 385.20631, all it does is fix a remote code execution vulnerability in the RT-AC88U.

@RMerlin Do you know if your 384.19 release contains a patch for the RCE vulnerability? If not, I know you aren’t working on new 384/385 releases, but considering a RCE is very, very bad, do you plan to release an update to include 385.20631 for the RT-AC88U?

Thanks,
 

RMerlin

Asuswrt-Merlin dev
Do you know if your 384.19 release contains a patch for the RCE vulnerability?
I don't know since I have no additional detail as to what that vulnerability is specifically. Could be something already patched, could be something that my firmware wasn't vulnerable to, or could be something that's not patched yet.

do you plan to release an update to include 385.20631 for the RT-AC88U?
There are no plan for any further 384.xx release, work is currently being done on 386.1. The 384.xx GPL release situation makes it impossible for me to work with it.
 

cooloutac

Very Senior Member
I don't know since I have no additional detail as to what that vulnerability is specifically. Could be something already patched, could be something that my firmware wasn't vulnerable to, or could be something that's not patched yet.



There are no plan for any further 384.xx release, work is currently being done on 386.1. The 384.xx GPL release situation makes it impossible for me to work with it.
when you asked me why I said security is an afterthought for you this is a case in point. I'm ready to give up using a vpn on your firmware so my router isn't a sitting duck.

I’m running Merlin 384.19 on a RT-AC88U. I’m not sure what version of the GPL is being used on that, but I’m pretty certain it doesn’t include the changes from the 385.20631 ASUS firmware as that was released the same day and the GPL code wasn’t released until September 28th.


According to the release notes for 385.20631, all it does is fix a remote code execution vulnerability in the RT-AC88U.

@RMerlin Do you know if your 384.19 release contains a patch for the RCE vulnerability? If not, I know you aren’t working on new 384/385 releases, but considering a RCE is very, very bad, do you plan to release an update to include 385.20631 for the RT-AC88U?

Thanks,
I would assume its only updated to UPDATED: Merged SDK + binary blobs 384_9107 for RT_AX88U. Even the ac68u isn't patched for it, even though he released his firmware on the same day asus released the patch giving the impression that it was.
 
Last edited:

john9527

Part of the Furniture
Even the ac68u isn't patched for it
One of the articles says....

This new flaw affects operating systems Linux (kernel 3.18-5.10), Windows Server 2019 (version 1809) and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer.

The AC68 runs kernel 2.6
The only routers that would fall into the range are the new HND routers running kernel 4.1
 

cooloutac

Very Senior Member
One of the articles says....

This new flaw affects operating systems Linux (kernel 3.18-5.10), Windows Server 2019 (version 1809) and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer.

The AC68 runs kernel 2.6
The only routers that would fall into the range are the new HND routers running kernel 4.1
what article? It just states an RCE vulnerability but as merlin stated he doesn't even know whats it for. What exactly are you referring to? Not all asus routers seem to have gotten such a patch. For example ax58u had a callstranger patch at end of july which is a upnp bug affecting ax routers.. ac86u had some buffer overlow patch a few days after the ac68u and ac88u had the mysterious RCE patch which may not be related. If you have inside info can you link the article?
 
Last edited:

john9527

Part of the Furniture
If you have inside info can you link the article?
No inside info....just read through the articles that were posted in the SAD DNS thread here. Probably my fault that I mixed it with this thread.

This is the article with the kernel info

One thing to remember....we don't have access to the ASUS git....so unless there's a CVE listed that we can possibly cross-reference, we have no idea what was actually changed or addressed.
 

cooloutac

Very Senior Member
No inside info....just read through the articles that were posted in the SAD DNS thread here. Probably my fault that I mixed it with this thread.

This is the article with the kernel info

One thing to remember....we don't have access to the ASUS git....so unless there's a CVE listed that we can possibly cross-reference, we have no idea what was actually changed or addressed.
ya I think you posted in the wrong thread lol. no worries. But the OP makes a good point, it doesn't get any worse then an RCE and its really not enough to just say maybe there is already a mitigation against it, who knows... I would assume there isn't and anyone using merlin firmware on an ac68u or ac88u is highly vulnerable. As vulnerable as one can be using a home router. I'm guessing its fault of the chipset architecture due to the fact the 86 or ax routers were not patched for it. They both have 470 chipsets which is one commonality.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
and anyone using merlin firmware on an ac68u or ac88u is highly vulnerable.
Unless you have facts to support your claim, it's nothing but random rambling and assumptions.

Here's an actual fact for you: don't expose your router's webui to the Internet (which I have been advised for years), and you won't be vulnerable to any remote code execution, since that is the only area that Asus is patching there, and all of the non-Asus components that are fronting the Internet (like OpenVPN) are more up-to-date in my firmware than theirs.
 

cooloutac

Very Senior Member
Unless you have facts to support your claim, it's nothing but random rambling and assumptions.

Here's an actual fact for you: don't expose your router's webui to the Internet (which I have been advised for years), and you won't be vulnerable to any remote code execution, since that is the only area that Asus is patching there, and all of the non-Asus components that are fronting the Internet (like OpenVPN) are more up-to-date in my firmware than theirs.
again, this is why you mistakenly feel a vpn is useless for security and privacy. when in fact, when you have 50 iot devices in your home your home lan is just as public. Thats an old archaic outdated way of thinking. Vlans are helpful to a point. The only one rambling was you acting like you didn't even know what the guy was talking about throwing a bunch of defensive excuses at him... The correct answer to him was NO.

I await my ban.
 

RMerlin

Asuswrt-Merlin dev
again, this is why you mistakenly feel a vpn is useless for security and privacy.
I guess you still haven't understood a single word of what I wrote at the time in that conversation, and I have no intention of repeating myself again. Keep drinking the marketing Kool-Aid pushed forward by most of these "VPN providers", and hand them ALL of your data.

That is NOT what a VPN was designed for.
 

RMerlin

Asuswrt-Merlin dev
And I still stand by my reply. Unless you actually know what that specific RCE is, then you cannot in anyway claim that my users are "highly vulnerable". Here's another example for ya: that recent highly publicized UPNP vulnerability that Asus listed as having patched in their changelog? Turns out that neither my firmware nor theirs was ever vulnerable to it. Broadcom fixed it in their SDK's own UPNP implementation, which neither Asus or myself even uses.

You can't just take a vague changelog entry and immediately assume you know anything about what's actually behind it. So quit making accusations without any proof to back them up.
 

cooloutac

Very Senior Member
And I still stand by my reply. Unless you actually know what that specific RCE is, then you cannot in anyway claim that my users are "highly vulnerable". Here's another example for ya: that recent highly publicized UPNP vulnerability that Asus listed as having patched in their changelog? Turns out that neither my firmware nor theirs was ever vulnerable to it. Broadcom fixed it in their SDK's own UPNP implementation, which neither Asus or myself even uses.

You can't just take a vague changelog entry and immediately assume you know anything about what's actually behind it. So quit making accusations without any proof to back them up.
and you can't assume they aren't. better safe then sorry as the old adage goes. The guy asked if it was patched, not if the patch was necessary. THE DoD themselves adopted the policy of assuming they are already compromised and going from there. Its how all security professionals are trained now. Not the other way around, its not the 90s anymore. Asus is doing it right.

According this page http://callstranger.com/ there is some confirmed vulnerable asus devices. I'll have to take your word for it regarding other models.
 
Last edited:

cooloutac

Very Senior Member
I guess you still haven't understood a single word of what I wrote at the time in that conversation, and I have no intention of repeating myself again. Keep drinking the marketing Kool-Aid pushed forward by most of these "VPN providers", and hand them ALL of your data.

That is NOT what a VPN was designed for.

Keep thinking your home lan should not be treated as public.
 

cooloutac

Very Senior Member
And I gave him the honest answer: I don't know.
The honest answer was NO. Which you could still do, but if you think it isn't worth your time or necessary well then thats your decision. If security is of the utmost I would suggest the guy install stock for now and wait for 386 which is what I might do. as the op rightly implied, an RCE vulnerability trumps whatever security features are in your firmware stock doesn't have.
 

RMerlin

Asuswrt-Merlin dev
According this page http://callstranger.com/ there is some confirmed vulnerable asus devices. I'll have to take your word for it regarding other models.
Asuswrt (and Asuswrt-Merlin) both use miniupnpd. That same site states the following:

You need to patch your devices' UPnP stack depending on new UPnP Specification on OCF Web site. Some UPnP stacks like miniupnp (after 2011) are not vulnerable
Asus's miniupnpd currently dates from 2018, and we've worked together recently to have them also update to the newer version that I'm currently using, which should appear on stock firmware in the very near future.
 

cooloutac

Very Senior Member
Asuswrt (and Asuswrt-Merlin) both use miniupnpd. That same site states the following:



Asus's miniupnpd currently dates from 2018, and we've worked together recently to have them also update to the newer version that I'm currently using, which should appear on stock firmware in the very near future.
it uses the word "some". not "all". That could be interpreted either way. why would they confirm a model vulnerable if they didn't test it? Asus did the right thing being better safe then sorry imo.
 

L&LD

Part of the Furniture
@cooloutac, your comments and criticisms certainly makes you come off as uninformed and biased.

Your agenda is transparent and you clearly don't want to participate in meaningful discussions.

If you're trying to get permanently banned, please continue, I'm sure you will succeed.

If you want to remain and have any respect from others for your point of view, then please discuss facts. Your unfounded accusations and poor attitude are really wearing thin.
 

cooloutac

Very Senior Member
@cooloutac, your comments and criticisms certainly makes you come off as uninformed and biased.

Your agenda is transparent and you clearly don't want to participate in meaningful discussions.

If you're trying to get permanently banned, please continue, I'm sure you will succeed.

If you want to remain and have any respect from others for your point of view, then please discuss facts. Your unfounded accusations and poor attitude are really wearing thin.
please stop with the personal attacks. Send your petition to thiggins. refer to my latest post and stay on subject. If I get banned for promoting more security for asus users then so be it. Thats on your conscious not mine.

And just to stay on subject, the deflection to citing the callstranger vulnerability as a reason to say maybe the latest RCE for the ac88u and ac68u does not need to be patched, is a lame excuse not to do so. Because even if it was unnecessary, which imo merlin hasn't fully proved, Asus still did the right thing from a security perspective.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top