Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models

[KrypteX]

@RMerlin Thanks for your input and dedication to this project, I very much appreciate it. I understand why you proceed as you do, but at the end of the day I still don't know whether the vulnerability fixes in Asus' latest 51685 from April 2024 are included or not in your variant/version of the GPL 51997 (seemingly newer, higher version number, although an older release from September 2023).
So, can I trust it, is it safe to use? Nobody seems to know, which is unacceptable, honestly.

I'll think this over, but I'm inclined to revert back to stock Asus firmware. Security is more important than extra features.

 

[RMerlin]

I'll think this over, but I'm inclined to revert back to stock Asus firmware. Security is more important than extra features.

And what about the security fixes that my firmware has, but stock doesn't, like CVE-2023-5678 & CVE-2024-0727? Or the fact that Asus's OpenVPN is 2 years older than mine?

Unless you can point at a specific issue that they address and that I don't and that actually is an issue for your network (fixes that target AiCloud for instance are irrelevant if you don't actually use AiCloud), switching firmware every time one of us releases a new version will be an endless waste of time. We are developped in parallel, we are never released at the same time, so one of us will always have fixes that the other doesn't yet. And it goes both ways.

which is unacceptable

This is a one-man project done out of his spare time. I receive source code as 1 GB tarballs containing undocumented source code, with large portions of it closed source. I have no idea what changes Asus has made specifically. I don't have access to their git repos where commits are documented. The changelog provides zero technical details as to what was fixed specifically. So, I have no way of knowing what these fixes even are, or whether they were included in the last GPL drop they provided me. And it takes multiple weeks for Asus to prepare new GPL archives for me when I request them, so new GPLs will always take multiple weeks before they can be merged into a new Asuswrt-Merlin release. My last request for source code from them has been "I'm working on it" for nearly a month now.

If this is unacceptable, then go ahead and switch to a different platform. I simply cannot do anything more here.

 

[KrypteX]

@RMerlin Thanks again for the detailed response. Since Asus is not transparent with their release notes, nor with the GPL you receive from them, I will definitely get rid of anything Asus based on Broadcom and switch to x86 or Mediatek based units.
Have you considered doing work on / forking another firmware platform? I don't want to name any of them here since I don't want to get banned, but you know which ones I'm talking about.

 

[Dedel66]

I will definitely get rid of anything Asus

Everyone can choose the hardware he wants to use. I chose Asus because it runs MerlinWRT.

 

[Natty]

I choose Asuswrt-Merlin because I trust it more than I trust Asuswrt to look after the important stuff. There is a community of testers (of varying thoroughness and expertise!) and add-on developers, so when issues are discovered they are addressed when needed by @RMerlin. This forum contains useful explanations and suggestions. There is excellent support available here. I think all that is way superior to the stock Asus offering.

I value stability and security. The question of vulnerabilities in Asuswrt being addressed or not in Asuswrt-Merlin, if they are even present at all, could be answered by testing. Many of the vulnerabilities that Asus claim to have fixed are documented and published CVEs, and these are presumably reproducible by someone with sufficient expertise and time. If there are folks in this community prepared to do that I think many would be grateful to them.

 

[RMerlin]

I will definitely get rid of anything Asus based on Broadcom and switch to x86 or Mediatek based units.

These are hardly better. Asus is definitely the most opensource-friendly of the bunch, beside rolling out your own router from something like OpenWRT.

Have you considered doing work on / forking another firmware platform? I don't want to name any of them here since I don't want to get banned, but you know which ones I'm talking about.

All the other hardware manufacturers (like Netgear) are flat out hostile to potential third party developers. There's someone on SNBForums who has been doing work on Netgear's firmawre for years, and Netgear has rejected all of his attempts at even talking with him, they have even gone as far as far as removing some portions of the source code from their GPL drops since he started working on his project, making his task even harder. Their whole httpd server is 100% closed source for example, so you can't even implement any new real webui feature.

As for a project such as OpenWRT, I have no interest in getting involved in it as a developper. I would just be random developer number 50, whose main task is to update already existing packages, and argue on a mailing list as to how best to put that new checkbox on the webui. This sound more like a job than a fun hobby to do. My primary reason to work on Asuswrt-Merlin (or any of my previous software projects) is for the fun of doing it as a hobby.

Personally, I think you are making it a mountain out of a non-issue. A lot of the security issues reported there are hard to exploit, obscure corner-cases which, personally, am not feeling worried at all by them. So even if some of these were still present, I am not feeling concerned by any of them. There is no proof-of-concept on how these could be exploited. These days, a lot of security fixes deal with very intricate corner cases that are not really exploitable in the wild. Take their fix regarding code execution in the custom options for instance. To exploit this, you need to have the admin login on the router. Which... already allows you to login over SSH, and directly run anything you'd want. This is an example of a security issue that is more academic than a concrete threat.

When there are real serious security issues, I have always been able to address them quite quickly. The Strongswan security issues recently fixed by Asus for intsance were adressed in Asuswrt-Merlin within like a week of them being disclosed. I have also issued security fixes for SSH or OpenVPN within a very short period of time - shorter than the vast majority of router manufacturers out there. How many router manufacturer beside Asus has issued a fix for the recent dropbear security issues? (I am excluding commercial/proprietary platforms there as these are in a totally different category of products).

While no piece of software is ever totally perfect, I generally consider Asuswrt-Merlin as a whole to be in a good position as it currently is, and I don't feel worried at all in relying on it for my main router.

Just don't believe everything listed on a generic changelog to be a list of critical issues - a lot of listed fixes are actually non-issues for the regular user.

 

[martinr]

These are hardly better. Asus is definitely the most opensource-friendly of the bunch, beside rolling out your own router from something like OpenWRT.

All the other hardware manufacturers (like Netgear) are flat out hostile to potential third party developers. There's someone on SNBForums who has been doing work on Netgear's firmawre for years, and Netgear has rejected all of his attempts at even talking with him, they have even gone as far as far as removing some portions of the source code from their GPL drops since he started working on his project, making his task even harder. Their whole httpd server is 100% closed source for example, so you can't even implement any new real webui feature.

As for a project such as OpenWRT, I have no interest in getting involved in it as a developper. I would just be random developer number 50, whose main task is to update already existing packages, and argue on a mailing list as to how best to put that new checkbox on the webui. This sound more like a job than a fun hobby to do. My primary reason to work on Asuswrt-Merlin (or any of my previous software projects) is for the fun of doing it as a hobby.

Personally, I think you are making it a mountain out of a non-issue. A lot of the security issues reported there are hard to exploit, obscure corner-cases which, personally, am not feeling worried at all by them. So even if some of these were still present, I am not feeling concerned by any of them. There is no proof-of-concept on how these could be exploited. These days, a lot of security fixes deal with very intricate corner cases that are not really exploitable in the wild. Take their fix regarding code execution in the custom options for instance. To exploit this, you need to have the admin login on the router. Which... already allows you to login over SSH, and directly run anything you'd want. This is an example of a security issue that is more academic than a concrete threat.

When there are real serious security issues, I have always been able to address them quite quickly. The Strongswan security issues recently fixed by Asus for intsance were adressed in Asuswrt-Merlin within like a week of them being disclosed. I have also issued security fixes for SSH or OpenVPN within a very short period of time - shorter than the vast majority of router manufacturers out there. How many router manufacturer beside Asus has issued a fix for the recent dropbear security issues? (I am excluding commercial/proprietary platforms there as these are in a totally different category of products).

While no piece of software is ever totally perfect, I generally consider Asuswrt-Merlin as a whole to be in a good position as it currently is, and I don't feel worried at all in relying on it for my main router.

Just don't believe everything listed on a generic changelog to be a list of critical issues - a lot of listed fixes are actually non-issues for the regular user.

I’m sure I won’t be the only one sorry and frustrated that you’ve been diverted into having to justify your approach in 2 long, time-consuming posts, when you clearly have more pressing matters to deal with. Having said that, they were interesting and insightful.

 

[hotsauce2007]

Hi

Thanks for all the hard work.

I am using an Asus AC86u with the main router + 3 AC68U in node mode ( AiMesh ).
Everything was okay till the last FW upgrade, now the ``surveillance system`` doesn't work properly, the app ( Zmodo ) keep saying ``network problem`` and wont connect the cam/image, I am thinking about downgrade to the last FW, but I will wait to see if the new one comes with a fix for this, except for this issue the whole system is okay and working good.

 

[Dedel66]

Most people here had their problems solved with a clean installation: upgrade to 388.7, factory reset followed by a manual configuration...

 

[KrypteX]

Most people here had their problems solved with a clean installation: upgrade to 388.7, factory reset followed by a manual configuration...

You seem to be completely lost. It's an AC86U, so no 388.7 for it.

 

[Dedel66]

It is the same with 386.13.... CLEAN INSTALLATION is the keyword of my posting.

 

[KrypteX]

These are hardly better. Asus is definitely the most opensource-friendly of the bunch, beside rolling out your own router from something like OpenWRT.

All the other hardware manufacturers (like Netgear) are flat out hostile to potential third party developers. There's someone on SNBForums who has been doing work on Netgear's firmawre for years, and Netgear has rejected all of his attempts at even talking with him, they have even gone as far as far as removing some portions of the source code from their GPL drops since he started working on his project, making his task even harder. Their whole httpd server is 100% closed source for example, so you can't even implement any new real webui feature.

As for a project such as OpenWRT, I have no interest in getting involved in it as a developper. I would just be random developer number 50, whose main task is to update already existing packages, and argue on a mailing list as to how best to put that new checkbox on the webui. This sound more like a job than a fun hobby to do. My primary reason to work on Asuswrt-Merlin (or any of my previous software projects) is for the fun of doing it as a hobby.

Personally, I think you are making it a mountain out of a non-issue. A lot of the security issues reported there are hard to exploit, obscure corner-cases which, personally, am not feeling worried at all by them. So even if some of these were still present, I am not feeling concerned by any of them. There is no proof-of-concept on how these could be exploited. These days, a lot of security fixes deal with very intricate corner cases that are not really exploitable in the wild. Take their fix regarding code execution in the custom options for instance. To exploit this, you need to have the admin login on the router. Which... already allows you to login over SSH, and directly run anything you'd want. This is an example of a security issue that is more academic than a concrete threat.

When there are real serious security issues, I have always been able to address them quite quickly. The Strongswan security issues recently fixed by Asus for intsance were adressed in Asuswrt-Merlin within like a week of them being disclosed. I have also issued security fixes for SSH or OpenVPN within a very short period of time - shorter than the vast majority of router manufacturers out there. How many router manufacturer beside Asus has issued a fix for the recent dropbear security issues? (I am excluding commercial/proprietary platforms there as these are in a totally different category of products).

While no piece of software is ever totally perfect, I generally consider Asuswrt-Merlin as a whole to be in a good position as it currently is, and I don't feel worried at all in relying on it for my main router.

Just don't believe everything listed on a generic changelog to be a list of critical issues - a lot of listed fixes are actually non-issues for the regular user.

Understood, thanks.