Vulnerabilities & updates

Valyno

Occasional Visitor
Hello Guys,

Probably a stupid question but this topic has been nagging at me for a while.
Last year, a security study on consumer routers demonstrated that the firmwares of 127 machines were based on old versions of Linux, mainly unpatched.
What about Asus-Merlin?
Is it patched or are we at risk like the regular firmwares as described in the study?
Here, it is a vulnerability in Asus AX86U firmware. No mention by Asus of any patch. What about Asus-Merlin?

Thks!
Valyno
 

L&LD

Part of the Furniture

RMerlin

Asuswrt-Merlin dev
Here, it is a vulnerability in Asus AX86U firmware. No mention by Asus of any patch. What about Asus-Merlin?

That site makes a lot of assumptions based on no factual data or actual testing of their own. For instance, what is the CVE that refers to that particular security issue? If there was no CVE assigned to it, then that often means that you cannot assume that the issue still exists just because it wasn't specified in the changelog. Asus tends to only document actual CVEs.

I've seen sites complaining about security issues that Asus had actually gone and fixed over a YEAR ago...

"Is it patched?" is a very broad question. You have to be more specific as to which specific security issues you are referring. Asus regularly patches security issues as they are found, same for me.
 
P

podkaracz

Guest
That site makes a lot of assumptions based on no factual data or actual testing of their own. For instance, what is the CVE that refers to that particular security issue? If there was no CVE assigned to it, then that often means that you cannot assume that the issue still exists just because it wasn't specified in the changelog. Asus tends to only document actual CVEs.

I've seen sites complaining about security issues that Asus had actually gone and fixed over a YEAR ago...

"Is it patched?" is a very broad question. You have to be more specific as to which specific security issues you are referring. Asus regularly patches security issues as they are found, same for me.

I was looking at the page provided by op and there was no info about vulnerabilities but i googled a bit about this contest and i found some info.
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.
"January 2, 2021: Still nothing on the Asus Security Advisory page. But, there is new firmware, version 3.0.0.4.386.41535 dated Dec. 30, 2020. There were many changes in the firmware, but there is no mention of a bug fix. The bug seems to have fallen off the end of the earth. Such are consumer routers."

Whats interesting that "hacking contest" was discussed here on SNB

Asus, Netgear, and TP-LINK routers cracked at China's Tianfu world competition | SmallNetBuilder Forums (snbforums.com)

Here is twitter and the router was compromised with SQLi attack ( whatever that is)

TianfuCup (@TianfuCup) / Twitter
 
Last edited by a moderator:

mromero

Senior Member
I was looking at the page provided by op and there was no info about vulnerabilities but i googled a bit about this contest and i found some info.
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.
"January 2, 2021: Still nothing on the Asus Security Advisory page. But, there is new firmware, version 3.0.0.4.386.41535 dated Dec. 30, 2020. There were many changes in the firmware, but there is no mention of a bug fix. The bug seems to have fallen off the end of the earth. Such are consumer routers."

Whats interesting that "hacking contest" was discussed here on SNB

Asus, Netgear, and TP-LINK routers cracked at China's Tianfu world competition | SmallNetBuilder Forums (snbforums.com)

Here is twitter and the router was compromised with SQLi attack ( whatever that is)

TianfuCup (@TianfuCup) / Twitter
In my area work, we are aware that manufacturers and governments are not keen at admitting or stamping out security vulnerabilities. They oft work hand in hand to make use of these breaches, some accidental, many deliberately introduced. And they have armies of trolls ready to deploy to downplay, pooh-pooh and bury news of discovered compromises.
 
P

podkaracz

Guest
In my area work, we are aware that manufacturers and governments are not keen at admitting or stamping out security vulnerabilities. They oft work hand in hand to make use of these breaches, some accidental, many deliberately introduced. And they have armies of trolls ready to deploy to downplay, pooh-pooh and bury news of discovered compromises.

This sounds like conspiracy theory. It was confirmed many times that vendors leave backdoors for goverment to compromise the router but i doubt people here will discredit any1 for exposing it. If you want to be 100% sure no1 is messing with ur router build it from scratch yourself. Good luck with technical knowdlege and money needed to do this :D Not only hardware but also firmware its a hard task.
 

RMerlin

Asuswrt-Merlin dev
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.

What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.
 
P

podkaracz

Guest
What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.

I dont know how reliable this source is (routersecurity.org). Either Asus patched it without informing or they are hiding it. Sadly there is no1 to test this vulnerability to confirm whos right here. Also i tried to look for more info about this vulnerability but there is noone. If i understand correctly SQLi attack is a type of attack/attack vector and not actual name of vulnerability so there is no precise cve to watch for.

Im not 100% sure if its this but i found this on grc.com where they discussed this tianfu event as well as many other things:

"NAT Slipstreaming exploits the user's browsers, in conjunction with the Application Level Gateway connection tracking mechanism built into NATs, routers, and firewalls, by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions."

source: Security Now! Transcript of Episode #792 (grc.com)
 
Last edited by a moderator:
P

podkaracz

Guest
What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.

So i found out to prevent this SQLi attack we should turn off ALG on our router what do you think about that? What things in that tab where ALG is should i disable if not in use for security purposes? Also all that stuff SIP and others should be turned off for security purposes i suppose.

How to disable ALG because i see only port is visible and some other settings that i already turned off. So where is the ALG switch?
 
Last edited by a moderator:

RMerlin

Asuswrt-Merlin dev
The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.
 
P

podkaracz

Guest
The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.
settings.png

Wyłącz means disabled. So is this enough or i should disable something more because i cant find ALG toggle just this. From what ive read thus far those settings are in fact "ALG" and there is no separate "ALG" toggle. Am i right?

This podcast that i linked above has a lot info about this vulnerability. It was used to compromise ax86u and in response to this web browsers are beeing patched to block some ports from what i can read. Also he states that its better to disable because who knows what can happen in the future and its possible attack vector.
really good read
 
Last edited by a moderator:

TonyK132

Senior Member
Based on this discussion, I looked at my NAT->Nat Passthrough tab, and found that the 3 options that had NAT Helper as options were enabled. So I changed all 3 to only Enable because I do not know what they affect. I too have an ATA in my network, so I'm guessing at least the SIP Passthrough needs to be Enabled, but do not know about any of the options. After making those changes, do I need to reboot the router or are the settings dynamic? Also if this is such a security concern, why aren't the NAT Helper options disabled by default?
 
P

podkaracz

Guest
Based on this discussion, I looked at my NAT->Nat Passthrough tab, and found that the 3 options that had NAT Helper as options were enabled. So I changed all 3 to only Enable because I do not know what they affect. I too have an ATA in my network, so I'm guessing at least the SIP Passthrough needs to be Enabled, but do not know about any of the options. After making those changes, do I need to reboot the router or are the settings dynamic? Also if this is such a security concern, why aren't the NAT Helper options disabled by default?

I tested it on asus rtac86u and i did not have option to select "nat helper" only disable or enable maybe it was patched what firmware are you on? Im currently on latest beta with dnsmasq fixes.
 

TonyK132

Senior Member
384.19_0. But I've had many previous Merlin versions since I got the AC86U a few years ago. I do not recall ever going to that tab, and if I did, then it was a "Whoa, I have no idea what any of this is, so I will leave the defaults alone".
 
P

podkaracz

Guest
384.19_0. But I've had many previous Merlin versions since I got the AC86U a few years ago. I do not recall ever going to that tab, and if I did, then it was a "Whoa, I have no idea what any of this is, so I will leave the defaults alone".

Update to latest firmware (released today by Merlin) with security fixes and format i use wps reset cuz it seems the most stable. Then check again if you are able to pick +nat helper because im using latest asus beta and there is no option for this only enable/disable. Its good to check aiprotection tab and make sure to have all things checked there (potential attack vectors).
 
Last edited by a moderator:

RMerlin

Asuswrt-Merlin dev
Asus does not offer the option to just disable NAT helper. I don't know if they have fixed it, but last time I checked a few years ago, setting this to Disable had the unfortunate side-effect of also actively blocking that port, preventing for instance SIP from working.
 
P

podkaracz

Guest
Asus does not offer the option to just disable NAT helper. I don't know if they have fixed it, but last time I checked a few years ago, setting this to Disable had the unfortunate side-effect of also actively blocking that port, preventing for instance SIP from working.

Something changed in latest firmware then because i cant seem to pick nat helper from list (not sure how it looks on previous firmware) but on latest beta i can pick either disable or enable and there is no +nat helper option. Do you recommend enabling anything there or its better to leave it all off?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top