ASUS RT-AC66U Firmware version 3.0.0.4.374.5517 is out

[_robodoc_]

ASUS RT-AC66U Firmware version 3.0.0.4.374.5517
Security related issues:
1. Fixed remote command execution vulnerability
2. Fixed cross site scripting vulnerability
3. Fixed parameters buffer overflow vulnerability
4. Fixed XSS(Cross Site Scripting) vulnerability
5. Fixed CSRF(Cross Site Request Forgery) vulnerability
6. Added auto logout function. The timeout time can be configured in - Administration--> System
7. Included patches related to network map. Thanks for Merlin's contribution.
8. Fixed password disclosure in source code when administrator logged in.
9. Changed OpenSSL Library from 1.0.0.b to 1.0.0.d. Both OpenSSL versions are not vulnerable to heartbleed bug.

Others:
1. Fixed IPTV related issues.
2. Modified the 3G/LTE dongle setting process in quick internet setup wizard.
3. Fixed the Cloud sync problem
4. Fixed Parental control check box UI issues.
5. Modified the FTP/ Samba permission setting UI
6. Modified media server setting UI
7.Samba/ media server/ iTunes server name can be changed.
8. Dual wan fail over now support fail back
9. Fixed wake on lan magic packet sending issue.
10. Fixed false alarm for samba and ftp permission.
11. Fixed IPv6 related issues.

Special thanks for David and Palula’s research
CVE-2014-2719 http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html
Remote command execution http://seclists.org/fulldisclosure/2014/Apr/58
Reflected XSS: http://seclists.org/fulldisclosure/2014/Apr/59


They fixed a lot. But DFS support (therefore no 5GHz higher channels for European users) is still lacking.

 

[tpackage]

ASUS RT-AC66U Firmware version 3.0.0.4.374.5517

Yes, I installed it and did a full router reset, seems to be working fine. Getting hard wired and 2.4/5.0 GHz Wi-Fi speedtest.net speeds on laptop of 120Mbps.

 

[sanke1]

I cannot see any download link.

Asus support page does not have it listed.

 

[_robodoc_]

http://www.asus.com/us/Networking/RTAC66U/HelpDesk_Download/

 

[XIII]

OpenVPN was running fine in Merlin's RT-AC66U_3.0.0.4_374.40 firmware.

I'm trying to get it to work with the vanilla ASUS firmware (which now includes OpenVPN support). Since I am using iOS7's VPN on Demand feature I do not want to use a username and password for authentication. My configuration worked fine with Merlin's build, but the config.ovpn file from Asus always contains this line:

plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

When I comment it out (via telnet) and restart the server using this command OpenVPN does seem to work via VPN on Demand on my iOS devices:

/etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn

Without that change I get error messages like this:

TLS Error: Auth Username/Password was not provided by peer

Does the ASUS implementation (configuration) really differ from Merlin's?

I noticed that ASUS uses "Username / Password Auth. Only", while Merlin uses "Username/Password Authentication". Does the "Only" indicate the difference? (ASUS: optionally allow user/password only, Merlin: optionally disable username/password?)

Or did I misunderstood a GUI setting? (Which?)

 

[roscolo]

Updated and running smooth. Thanks for the updates, Asus!

 

[sanke1]

OK This is AC-66U. Wondering when AC-68U will see the updated firmware!!

 

[MrSinatra]

I have an AC66r

I was able to DL from the website and install it via local file and I did it from my wireless laptop and it went very smoothly, I didn't even have to power cycle the router manually or anything! so kudos to that.

however, it is now 2 days since it was released, and the router itself gave no indication that a newer firmware was available, either at login or the network map page, or even the router fw page after clicking "check"!

so, I think that is STILL a problem even tho fw history says its been addressed several times.

 

[hggomes]

9. Changed OpenSSL Library from 1.0.0.b to 1.0.0.d. Both OpenSSL versions are not vulnerable to heartbleed bug.

Cannot understand ASUS, why not update to the latest 1.0.1g?

 

[RMerlin]

Cannot understand ASUS, why not update to the latest 1.0.1g?

Switching from the 1.0.0 branch to the 1.0.1 branch carries a hefty risk of breaking other things.

However, a better question is why they updated from 1.0.0b to 1.0.0d, rather than to 1.0.0j, which is the latest in that branch (and which is the version my firmware has been using without any issue for well over a year now).

 

[Binar]

Hmm so this is no go for ac68u

 

[hggomes]

Switching from the 1.0.0 branch to the 1.0.1 branch carries a hefty risk of breaking other things.

However, a better question is why they updated from 1.0.0b to 1.0.0d, rather than to 1.0.0j, which is the latest in that branch (and which is the version my firmware has been using without any issue for well over a year now).

That should not be a problem for them, if they bother to update to 1.0.0d they could do it to any version, as long they really want to mantain the software updated, i dont talk only of OpenSSL, but also several ancient software that makes part of the source code.

Btw Rmerlin i see this on your FW:

rstats[577]: problem loading /mnt/tomato_rstats_e03f4923f3b0.gz. still trying...

 

[RMerlin]

That should not be a problem for them, if they bother to update to 1.0.0d they could do it to any version, as long they really want to mantain the software updated, i dont talk only of OpenSSL, but also several ancient software that makes part of the source code.

It's not that simple, and I have first hand experience with this. A few years ago I updated buxybox to a newer version. The result was well over a month of quirks surfacing left and right due to compatibility issues caused by the new Busybox version. The Download Master downloader/installer script for instance stopped working because the awk syntax used by the script was no longer working with the new Busybox. I was forced to revert the awk code in 1.21 back to 1.17 to fix Download Master.

So no, upgrading to "any version" is not always possible without causing other issues. That's why you usually only upgrade a package if you have a valid reason to do so, and are willing to spend the time needed to ensure it doesn't break anything else.

Btw Rmerlin i see this on your FW:

rstats[577]: problem loading /mnt/tomato_rstats_e03f4923f3b0.gz. still trying...

It means your stats database location is incorrect. You are pointing it to /mnt/, while USB disks are mounted under /mnt/labelname/ or /mnt/devicename/.

 

[hggomes]

I'm not saying it does not break things, what i wanted to say was that if they want to update all software without breaking things they could do it, software updates are always good for obvious reasons, they bring new features, fix problems/bugs, etc, etc.

We should not forget that they are the creators of the FW, so it should not be a problem "mess" with it

I've checked and the device changed the mount point somehow, fixed now. Thanks

 

[rtcomputersinc]

I have the one of my 66u's setup like a standalone MiFi router with a Pantech UML290 LTE aircard. The only issue I have run into so far with this FW is I have to most mornings restart the router because the aircard shows disconnected. I use to use this in what I called a Hillbilly wireless with a laptop running internet sharing and the card would run no problem for days. The setup is great since I can drop the router off in a field run power to it and you have high speed internet. Except for needing restart it runs flawless. Anyone else see and issue running it like this?

 

[sol1109]

3.0.0.4.374_5656 is the current firmware and resolved all the reboot and disconnection issues I was having with 3.0.0.4.374.5517.

 

[habskilla]

3.0.0.4.374_5656 for the AC66U? Do you have a link for that file?

 

[rtcomputersinc]

This is the 66U forum the 5656 firmware is for the 68U.

 

[sol1109]

Sorry, my bad.

 

[larry axtell]

I have the one of my 66u's setup like a standalone MiFi router with a Pantech UML290 LTE aircard. The only issue I have run into so far with this FW is I have to most mornings restart the router because the aircard shows disconnected. I use to use this in what I called a Hillbilly wireless with a laptop running internet sharing and the card would run no problem for days. The setup is great since I can drop the router off in a field run power to it and you have high speed internet. Except for needing restart it runs flawless. Anyone else see and issue running it like this?