Asus router firmware security

[john9527]

Dropbear does support these, they just ain't enabled. I don't know however if it's because they have to be manually enabled, or because the linked OpenSSL doesn't have these cryptos enabled in it.

I looked, and it appears that OpenSSL does have these enabled. So I did a build with them enabled in dropbear.

Chrysalis - If you want to give it a try, drop me a PM.

 

[RMerlin]

I looked, and it appears that OpenSSL does have these enabled. So I did a build with them enabled in dropbear.

Chrysalis - If you want to give it a try, drop me a PM.

I was going to try it out, but thanks for doing so. Chrysalis, please keep me informed whether it works properly.

As an aside: I had to spend some time at work this afternoon looking into the deprecation of SHA-1, as Entrust sent me a notification to that effect. I'll have to reissue about 15-20 SSL certificates in the coming weeks for one of my customers, as they're all SHA-1 signed. Fun times.

 

[Chrysalis]

It works as expected, thanks to john for the quick new firmware to test it.

 

[RMerlin]

It works as expected, thanks to john for the quick new firmware to test it.

Ok, I'll enable it. This will be included with the 376.47 release.

 

[Marko Polo]

BTW, what is procedure how client and server are negotiating which protocol version to use. I have Win10 which has full-featured SMBv3.2 and smbd daemon of version 3.0.33 on routere, but when I check smb session, I see that v1.5 dialect is used for communication. Why?
How can I make them to use the latest SMBv3?
Considering recent ransomware attacks which use SMBv1 vulnerabilities, thus thing is critical.

 

[RMerlin]

BTW, what is procedure how client and server are negotiating which protocol version to use. I have Win10 which has full-featured SMBv3.2 and smbd daemon of version 3.0.33 on routere, but when I check smb session, I see that v1.5 dialect is used for communication. Why?
How can I make them to use the latest SMBv3?
Considering recent ransomware attacks which use SMBv1 vulnerabilities, thus thing is critical.

Samba 3.0.33 only supports SMB1. You need Samba 3.6 for SMB2, and Samba 4 for SMB3.

 

[Marko Polo]

Samba 3.0.33 only supports SMB1. You need Samba 3.6 for SMBv2, and Samba 4 for SMBv3.

Thanks for the answer.

 

[Marko Polo]

Following the previous conversation:
I am trying to disable SMB1 on Merlin by adding

min protocol = SMB2
smb encrypt = mandatory

and deleting

max protocol = NT1

from /tmp/etc/smb.conf.
But after reboot the file is rewritten with the old version. What am I doing wrong? Maybe I edit the wrong config?

 

[ColinTaylor]

But after reboot the file is rewritten with the old version. What am I doing wrong? Maybe I edit the wrong config?

You need to create a /jffs/scripts/smb.postconf script.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[RMerlin]

SMB2 can be enabled on the Network File settings page (380.67) or Tools -> Other Settings (previous versions).

"smb encrypt" is a UNIX extension to Samba, it's not supported by Windows clients. Native encryption was only added by Windows with SMB3, which is not supported by Samba 3.6.25.

 

[Marko Polo]

SMB2 can be enabled on the Network File settings page (380.67) or Tools -> Other Settings (previous versions).

"smb encrypt" is a UNIX extension to Samba, it's not supported by Windows clients. Native encryption was only added by Windows with SMB3, which is not supported by Samba 3.6.25.

Thanks. One more question: if I want to replace some parameter in some config, my only choice is postconf script? conf.add scripts only append?
For example, if I simply add those parameter via /jffs/configs/XXX.add, then it can be contradictory with the existing config?
What is the use-case of .add scripts if almost the same (and more) can be achieved with postconf?

 

[RMerlin]

Thanks. One more question: if I want to replace some parameter in some config, my only choice is postconf script? conf.add scripts only append?

That's correct.

What is the use-case of .add scripts if almost the same (and more) can be achieved with postconf?

.conf.add support predates that of postconf. conf.add was kept not only for backward compatibility, but also because it's a very simple solution.A single-line conf.add file takes 10 seconds to write, and will add a new parameter to dnsmasq.conf for instance, versus postconf being a full-fledged shell script, requiring some additional knowledge on how to write a script (the shebang, escaping characters, UNIX encoding, remembering the helper function or being skilled in sed, etc...)