Security issues in the 374.39 merlin?

[Alaska99]

There is a lot of security issue patched in the latest asus firmare released
Someone know if this security issue are already patched in the latest merlin build?

Thank you


Here is the change log of asus:
Version 3.0.0.4.374.4422
Description ASUS RT-AC68U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.

Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Supported EU 5Ghz DFS channel.
6. Improved web UI performance.

 

[RMerlin]

There is a lot of security issue patched in the latest asus firmare released
Someone know if this security issue are already patched in the latest merlin build?

Not yet, since 4422 was released after 374.39.

 

[GoNz0]

DFS support at last, they took there time to roll that out!

 

[bigpoppa75]

Merlin, will you have update soon with security issues fixed? Thank You

 

[Builder71]

Merlin, will you have update soon with security issues fixed? Thank You

As always no ETA for new Merlin firmware. So please don't ask.
Just wait patiently, it will show up some time.
It's his free time.

 

[bigpoppa75]

Builder71, don't take this the wrong way. I was will not asking for ETA just seeing if security fixes would applied when next version of firmware was release. I understand about using custom firmware and its done for free.

 

[bill1228]

Builder71, don't take this the wrong way. I was will not asking for ETA just seeing if security fixes would applied when next version of firmware was release. I understand about using custom firmware and its done for free.

You can always send Merlin a donation for his hard work. Many of us have.
--bill

 

[RMerlin]

Merlin, will you have update soon with security issues fixed? Thank You

At least not for another week.

 

[cyborgpunte]

Sorry for OT but, How to donate ??

and I take my chance to bump this one, at same time
http://forums.smallnetbuilder.com/showthread.php?t=15478

TIA & BR

You can always send Merlin a donation for his hard work. Many of us have.
--bill

 

[bigpoppa75]

http://www.lostrealm.ca/tower/node/79 and click on yellow donate button. It will take you to paypal.

 

[alternety]

I just saw news that the N66 exposes all the contents of drives attached to the router USB ports with only your ISP IP.

 

[L&LD]

Do you have a link/more info? Which firmware version? What settings or options enabled?

 

[RMerlin]

I just saw news that the N66 exposes all the contents of drives attached to the router USB ports with only your ISP IP.

Disable FTP, or make sure it's configured to only allow sharing with accounts...

 

[alternety]

http://arstechnica.com/security/201...e-been-pwned-thanks-to-easily-exploited-flaw/

It does not appear to be FTP related. HTTPS with any cloud connection if I am reading it properly.

 

[Alaska99]

Thank you Merlin! I just make my small contribution on your paypal to thank you for all the work you do for us.

 

[RMerlin]

http://arstechnica.com/security/201...e-been-pwned-thanks-to-easily-exploited-flaw/

It does not appear to be FTP related. HTTPS with any cloud connection if I am reading it properly.

Since at this point there is more FUD than actual facts as to the real vectors of attack (not two articles are talking about the same vulnerabilities, and some articles are referring to vulnerabilities that were actually fixed nearly a year ago), then just disable the FTP server and AiCloud for now, and you'll be fine.

 

[balcy24]

I made sure everything was disabled that was named in the various online articles about possible Asus vulnerabilities, anything I didn't actually need to use, yet my WAN IP address was one of the 13,000 named (YIKES) so now I'm really concerned.

I turned off all the AiCloud stuff, FTP access, Samba support, telnet, ssh, iTunes Server, DLNA, etc. I do have a flash drive connected to my AC68U to store the router logs but thats it. What I don't know is when they got my IP address. I wasn't too concerned before because I had followed the advice here but there must be other ways into the router I don't know about. That's scary! I am running Merlins 374.39.

Update: I found UPnP was actually turned on. I wonder if that is the leak?

 

[RMerlin]

I made sure everything was disabled that was named in the various online articles about possible Asus vulnerabilities, anything I didn't actually need to use, yet my WAN IP address was one of the 13,000 named (YIKES) so now I'm really concerned.

I turned off all the AiCloud stuff, FTP access, Samba support, telnet, ssh, iTunes Server, DLNA, etc. I do have a flash drive connected to my AC68U to store the router logs but thats it. What I don't know is when they got my IP address. I wasn't too concerned before because I had followed the advice here but there must be other ways into the router I don't know about. That's scary! I am running Merlins 374.39.

Update: I found UPnP was actually turned on. I wonder if that is the leak?

The RT-AC68U/RT-AC56U have a different vulnerability where any USB disk shared over SMB were available over WAN. I fixed that issue with 374.39, but Asus has yet to fully fix that one. That could have been how you got compromised.

UPnP is fine. It's only accessible from the LAN side, and miniupnpd is quite actively maintained by its author (and I mostly keep up-to-date with him).

 

[silent ninja]

I have recently purchased the AC66U (not yet arrived) and AI cloud and USB attached storage were some of the functions I was interested in. I presume the Asus firmware HAS fixed this then?

I would like to try the Merlin firmware at some point, although this board seems rather technical for me.