AI Protection Exploit asuswrt 3.0.0.4.376_1071 LAN Backdoor Command Execution (CVE-2014-0583)

[draohnjeii]

I'm seeing Exploit asuswrt 3.0.0.4.376_1071 LAN Backdoor Command Execution (CVE-2014-0583) in my AI Protection log. Does this mean that one of the systems on my LAN is compromised? When I read about this vulnerability, it shows that its a LAN based attack. I have been running Asuswrt-Merlin 384.4_2 on my RT-AC3200

 

[RMerlin]

No, it means that something tried to exploit that issue, which has been fixed years ago. Therefore nothing to worry about. You can determine who tried to access that by looking at the source in the log. It's probably from the WAN, looking for people with exposed routers.

That IPS is doing more harm than good so far IMHO. Most users don't have the technical know-how to properly understand its reports. What it does is more about showing off that it's blocking something than providing an actual security improvement.

 

[draohnjeii]

No, it means that something tried to exploit that issue, which has been fixed years ago. Therefore nothing to worry about. You can determine who tried to access that by looking at the source in the log. It's probably from the WAN, looking for people with exposed routers.

That IPS is doing more harm than good so far IMHO. Most users don't have the technical know-how to properly understand its reports. What it does is more about showing off that it's blocking something than providing an actual security improvement.

Wow a response from the man himself! The AI Protection screen shows the source IP address which is an external IP address, I just got nervous because the vulnerability is described as a LAN vulnerability, so I was thinking it could only be attempted to be exploited internally from my network.

So you recommend actually disabling AI Protection altogether? You're saying the router has those vulnerabilities patched anyway, so even if it didn't block the malicious packet, it wouldn't be able to exploit the vulnerability anyway so its basically redundant protection?

 

[Insight]

Thats pretty cool. I just had the same alert as well coming from an IP based in Brazil. Not too much on the web of that address so far but interesting to see on these forums.

No, it means that something tried to exploit that issue, which has been fixed years ago. Therefore nothing to worry about. You can determine who tried to access that by looking at the source in the log. It's probably from the WAN, looking for people with exposed routers.

That IPS is doing more harm than good so far IMHO. Most users don't have the technical know-how to properly understand its reports. What it does is more about showing off that it's blocking something than providing an actual security improvement.

Are you saying it's blocking more than is should or just causing panic with end users? I like the feature myself, especially since Asus has had some trouble in the past with vulnerabilities.

 

[RMerlin]

Are you saying it's blocking more than is should or just causing panic with end users? I like the feature myself, especially since Asus has had some trouble in the past with vulnerabilities.

It's just causing unnecessary panic. The router's firewall was already blocking these connection attempts, because as hinted by the description. that exploit only worked within the LAN, or if you had the router's firewall disabled.

 

[bblearner]

Hi, unfortunately my Asus is showing in the AI protection report that the Exploit Asuswrt connection attempt is coming from an INTERNAL IP address on my network, actually from my laptop. The log is pretty consistent with when my pc is on, so it's no coincidence. Is it a fair assumption that my pc is infected?I'm running Eset NOD32, regular scans, etc etc, and it shows nothing, but I did have a recent serious security breach through RDP on another computer on the network. Thanks for any help.