Vulnerabilities & updates

[podkaracz]

Asus does not offer the option to just disable NAT helper. I don't know if they have fixed it, but last time I checked a few years ago, setting this to Disable had the unfortunate side-effect of also actively blocking that port, preventing for instance SIP from working.

(1) Are Asus routers running ASUSWRT-Merlin affected by NAT Slipstreaming? Mitigations? | Page 2 | SmallNetBuilder Forums (snbforums.com)

I looked around the forum and there was discussion on that topic already ehh. November 2020 the conclusion was to disable everything in tab NAT Passthrough as well as command line master @ColinTaylor suggested adding

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start


Is executing those scripts via ssh on asus latest firmware (not merlin) will work or i need custom jffs scripts from merlin functionality?


Also here is a mention about nat slipstreaming
DNSPOOQ - JSOF (jsof-tech.com)

Maybe dnsmasq fixes had impact on those settings as well because mention of nat slipstreaming is part of latest vulnerabilities disclosed by JSOF as well as SAD dns or smth.

Also was SAD dns patched already on asus routers? Becuase from what i see its suggest to disable outgoing ICMP whatever that is.

 

[RMerlin]

nd there is no +nat helper option.

As I said, that option does not exist on the stock firmware.

 

[podkaracz]

As I said, that option does not exist on the stock firmware.

What do you think of :

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start


What are those scripts doing i like to know before applying anything.

Also is there free alternative to NextDNS that is not vulnerable to SAD dns vulnerability because ive tested cloudflare,quad9 and google and they are all vulnerable according to sadns site test only nextdns is not.

Also curious how they compromised ax86u using alg when using logic you said that nat helper is alg and its not present on stock firmware so how did they do it.

 

[RMerlin]

What are those scripts doing i like to know before applying anything.

They do whatever you put in them, they are user-created.

Also curious how they compromised ax86u using alg when using logic you said that nat helper is alg and its not present on stock firmware so how did they do it.

The ALG are present in the stock firmware. It's just the option to enable/disable them isn't - Asus's "Disable" doesn't just disable the ALG, it also actively block the port, which is problematic if you do need to use VoIP but just don't want the ALG to be used. They might have changed that since then, I haven't checked in years since I already had that part of the code handled.

 

[reerden]

They do whatever you put in them, they are user-created.



The ALG are present in the stock firmware. It's just the option to enable/disable them isn't - Asus's "Disable" doesn't just disable the ALG, it also actively block the port, which is problematic if you do need to use VoIP but just don't want the ALG to be used. They might have changed that since then, I haven't checked in years since I already had that part of the code handled.

In case of the VPN options, those do not have an "Enable + NAT helper" option. So what do these options do when set to disabled? Disable a netfilter ALG, or block the corresponding port?

And what about the FTP ALG? It seems to be present because you can configure a port for it.

 

[RMerlin]

In case of the VPN options, those do not have an "Enable + NAT helper" option.

Because they do not have a kernel ALG module.

And what about the FTP ALG? It seems to be present because you can configure a port for it.

No idea. I'd guess setting it to a port other than 21 should be enough to make it quite difficult to actively exploit.

 

[reerden]

Because they do not have a kernel ALG module.


No idea. I'd guess setting it to a port other than 21 should be enough to make it quite difficult to actively exploit.

Ah. So they are simple switches that block the corresponding port? Even for PPTP?

 

[podkaracz]

And what about the FTP ALG? It seems to be present because you can configure a port for it.

No idea. I'd guess setting it to a port other than 21 should be enough to make it quite difficult to actively exploit.

In another thread i saw adding those to firewall in order to disable that ftp alg port but i dont know what it does.

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start

@ColinTaylor needs to help

 

[octopus]

In another thread i saw adding those to firewall in order to disable that ftp alg port but i dont know what it does.

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start

@ColinTaylor needs to help

They remove this modules.
-r Remove MODULE (stacks) or do autoclean

 

[podkaracz]

They remove this modules.
-r Remove MODULE (stacks) or do autoclean

So is it safe to use when i want to disable that alg port?

The thing is they advised people to add those commands to location :

/jffs/scripts/firewall-start

and its not present on stock firmware. What i think it does is that its applied after each router reboot. How to achieve the same on stock? Because if i do it once and reboot router it wont persist i think.

 

[reerden]

So is it safe to use when i want to disable that alg port?

The thing is they advised people to add those commands to location :

/jffs/scripts/firewall-start

and its not present on stock firmware. What i think it does is that its applied after each router reboot. How to achieve the same on stock? Because if i do it once and reboot router it wont persist i think.

I don't think this exploit was successfully used with the FTP ALGs. It seems to be only SIP and H.323 for now. I think changing the port and making sure all browsers are up-to-date is good enough for now.

firewall-start is just the script that runs on a firewall (re)start. It's used to edit iptables and such. I wouldn't edit is unless you know what you're doing. The commands listed are fine though, they just remove those conntrack modules, nothing special.

 

[podkaracz]

I don't think this exploit was successfully used with the FTP ALGs. It seems to be only SIP and H.323 for now. I think changing the port and making sure all browsers are up-to-date is good enough for now.

firewall-start is just the script that runs on a firewall (re)start. It's used to edit iptables and such. I wouldn't edit is unless you know what you're doing. The commands listed are fine though, they just remove those conntrack modules, nothing special.

I read somewhere that firewall-start is a script that is reapplied after every reboot but i thought its Merlin exclusive. How to set script that will disable ftp alg on stock firmware everytime router reboots? because there is no toggle for it.