443 AiCloud vulnerable?

[He11singKG]

Hello. I'm working with some asus routers, mostly model RT-ACRH13.
Firmware
3.0.0.4.380_8457
3.0.0.4.380_8347
3.0.0.4.380_8119
3.0.0.4.382_52134
3.0.0.4.382_52504 and some other
Have this setup
Firewall enabled
WAN Access disabled
SSh enabled with key autorization
PPTP disabled
OVPN enabled some udp/some tcp
For few months i have been getting this trouble
Can't connect to ovpn - port changed to udp 31194/60091, also router has newly generated certificates. In custom configuration there is such info

up '/jffs/scripts/init-start';

or this

/bin/sh /jffs/init_script
up "/bin/sh /jffs/updater"

In init-start file this info

echo "*/1 * * * * /jffs/log/.hjmi -w -d -k telnet,dropbear,wget,openvpn -b http" > /jffs/log/$(nvram get http_username)
/usr/sbin/crond -c /jffs/log

Can't connect to ssh - port stays the same, but connection refused - after reboot it works again
Pptp becomes enable and always there is such authorization pair - user1:admin123 with active connection from lan

I keep deleting the updater file and info from the init-start file, but after some time, they reappear, and the problem comes back.
I've found that 443 port which associated with Aicloud is open, but I can't close it. In usb applications there is no options for aicloud.
I manually add this firewall rule iptables -D INPUT -p tcp --dport 443 -j ACCEPT it closes port for a few period but later port is opened again
I guess router is getting exploited via this port, but sometimes I don't have it opened and routers are still getting this problem.
I updating now to latest firmware 3.0.0.4.382_52542, hope it will help, but I still have 443 opened on most of devices. How can close it?

 

[Justinh]

Looks like you are missing the actual AiCloud UI

 

[Tech9]

3.0.0.4.382_52504

End-of-Life devices for quite some time, but received critical vulnerability patch firmware 3.0.0.4.382_52542 on Dec 05, 2024.

 

[ColinTaylor]

Hello. I'm working with some asus routers, mostly model RT-ACRH13.
Firmware
3.0.0.4.380_8457
3.0.0.4.380_8347
3.0.0.4.380_8119
3.0.0.4.382_52134
3.0.0.4.382_52504 and some other
Have this setup
Firewall enabled
WAN Access disabled
SSh enabled with key autorization
PPTP disabled
OVPN enabled some udp/some tcp
For few months i have been getting this trouble
Can't connect to ovpn - port changed to udp 31194/60091, also router has newly generated certificates. In custom configuration there is such info

or this


In init-start file this info

Can't connect to ssh - port stays the same, but connection refused - after reboot it works again
Pptp becomes enable and always there is such authorization pair - user1:admin123 with active connection from lan

I keep deleting the updater file and info from the init-start file, but after some time, they reappear, and the problem comes back.
I've found that 443 port which associated with Aicloud is open, but I can't close it. In usb applications there is no options for aicloud.
I manually add this firewall rule iptables -D INPUT -p tcp --dport 443 -j ACCEPT it closes port for a few period but later port is opened again
I guess router is getting exploited via this port, but sometimes I don't have it opened and routers are still getting this problem.
I updating now to latest firmware 3.0.0.4.382_52542, hope it will help, but I still have 443 opened on most of devices. How can close it?

This is malware that was identified on other Asus routers back in 2023. Perform a full factory reset and setup the routers again without importing any old config files.

 

[He11singKG]

Looks like you are missing the actual AiCloud UI
View attachment 63894

yeah i know, but why and how can i enable this ui?

 

[He11singKG]

End-of-Life devices for quite some time, but received critical vulnerability patch firmware 3.0.0.4.382_52542 on Dec 05, 2024.

updated, for some devices 443 closed, but some still has 443 open. how can i close it

 

[He11singKG]

This is malware that was identified on other Asus routers back in 2023. Perform a full factory reset and setup the routers again without importing any old config files.

i did that, but due to open 443 port problem appears again

 

[Tech9]

You have to do what @ColinTaylor advised above - update firmware to the latest, wipe everything and start over with manual configuration. You can continue using End-of-Life routers, but don't expose any services on Internet facing one. Or use them as Access Points to something more secure and supported as Router/Gateway.

 

[He11singKG]

I found a solution. I couldn't manually open the cloudmain.asp page—it returned a 404 error, but cloud_main.asp works. So I disable Aicloud now. Was the AiCloud main page hidden by the exploit? Could someone explain how these viruses work, to prevent this in future. Do they modify something in the console source code?

Looks like you are missing the actual AiCloud UI
View attachment 63894

 

[bennor]

Could someone explain how these viruses work, to prevent this in future. Do they modify something in the console source code?

There is a big discussion on the AiCloud malware here:

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

See the 01/02/2025 ASUS Router AiCloud vulnerability entry in the following link:

ASUS Product Security Advisory | ASUS Global

www.asus.com

Asus listed the following CVE's in their AiCloud vulnerability notice: CVE-2024-12912 and CVE-2024-13062
Here is Asus's recommendations if one's router is end of life or one cannot update the firmware:

If you are unable to update the firmware quickly or the router (with 3.0.0.4_382 firmware) is end-of-life , please ensure that both your login and WiFi passwords are strong. It is recommended to (1) Enable the password protection in AiCloud (2) disable any services that can be accessed from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP; and (3) use passwords that have more than 10 characters, including a mix of uppercase letters, numbers, and special characters to enhance the security of your devices. Do not use passwords with consecutive numbers or letters, such as 1234567890, abcdefghij, or qwertyuiop.

In short, don't open up broadband/WAN facing ports or remote access to the router if at all possible. Use strong passwords, and because network security is multi layered, make sure all devices connected to your local network are clean and up to date.

 

[Tech9]

I found a solution.

The right solution is hard reset and start over.

 

[Ripshod]

..... after flashing the 3.0.0.4.382_52542 firmware, as that version was released to fix the recently exploited vulnerability.

 

[John Fitzgerald]

@Tech9 , can port 443 be closed, made null? Is it secure as is? Is there a range of ports it can be changed to, to close it off or make it more secure: (can you pick a random number or is that not advised)?
According to Wiki, most port ranges are spoken for.
Port 443 is supposed to be secure for HTTPS.

 

[bennor]

@John Fitzgerald, Have you run a port scan check to see what broadband ports are open on your router, if any? If you have AiCloud disabled, don't have port forwarding enabled, and have various other remote access services (like Enable Web Access from WAN) that use port 443 (HTTPS/TLS/SSL) disabled then the port should be closed or stealthed.

 

[ColinTaylor]

Have you run a port scan check to see what broadband ports are open on your router, if any?

Broadband? I think you mean "internet", or maybe "WAN". Not all internet connections are broadband and vice versa.

 

[bennor]

Broadband? I think you mean "internet", or maybe "WAN". Not all internet connections are broadband and vice versa.

Broadband (including it's slang term) is understood to mean, among other things, high speed internet access. For example in the states: https://www.fcc.gov/consumers/guides/getting-broadband-qa

What Is Broadband?​

Broadband or high-speed Internet access allows users to access the Internet and Internet-related services at significantly higher speeds than those available through "dial-up" services. Broadband speeds vary significantly depending on the technology and level of service ordered. Broadband services for residential consumers typically provide faster downstream speeds (from the Internet to your computer) than upstream speeds (from your computer to the Internet).

 

[ColinTaylor]

Broadband (including it's slang term) is understood to mean, among other things, high speed internet access. For example in the states: https://www.fcc.gov/consumers/guides/getting-broadband-qa

Exactly my point. Not all internet connections are broadband. "Internet" is unambiguous.

 

[Tech9]

can port 443 be closed

It is closed by default. What I know may be listening on port 443 in Asuswrt is AiCloud or eventually VPN server set by the user this way. Blocking this port will break Internet though.

 

[He11singKG]

Question is not about 443port, but decided not to open new thread. Is there any ways to exploit router if openvpn ports is open?
Router not mentioned higher, new device with last firmware
Again have this setup
Firewall enabled
WAN Access disabled
SSh enabled with key autorization
PPTP disabled
No port forwadring/triggering etc.
OVPN enabled with tcp

Only ovpn port was open. And somehow router has been exploited. How is it possible?

 

[ColinTaylor]

Only ovpn port was open. And somehow router has been exploited. How is it possible?

Most likely it was attacked from the LAN side. e.g. from an infected PC.