Security Concern for our routers or nah?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Todd Snigg

New Around Here
So Google has been blasting my Pixel phone's news feed with articles about a set of new vulnerabilities for the RT-AC1900p, which I own, running Merlin's build.

Examples: 1st Article 2nd Article

They reference CVE-2020-15498 and CVE-2020-15499 which appear to be a MTM and XSS type of issue.

Is this something I need to be concerned about if I'm running Merlin's build 384.17? Seems like maybe it's not an issue since I don't have my router set to auto-update firmware. But I was just curious. I didn't see much other discussion on this site and searched for those CVE #s to no avail.

Thanks,

Todd
 

dave14305

Part of the Furniture
The only place I see the "no-check-certificate" is in the Trend Micro signature update scripts.
 

Dabombber

Senior Member
Asuswrt-Merlin only checks for updates, it doesn't try to download them.
New firmware availability check will remain automatic, and firmware upload will remain manual. I don't support automatic "live updates". Just like it has always been with Asuswrt-Merlin. Only nodes running the stock Asus firmware will be able to perform live updates.
I'd be more concerned about custom scripts running on the router, lots of people seem to use wget --no-check-certificate without understanding what it does.
 

RMerlin

Asuswrt-Merlin dev
Aside from the fact that my firmware doesn't have live update capabilities, I have been enforcing certificate checks for many years now.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top