What's new

Release ASUS RT-AC68U Firmware version 3.0.0.4.386_51685 (2024/04/15)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ASUS warns of critical remote authentication bypass on seven routers including the End of Life RT-AC68U which will not be updated if they follow their policy.

See: https://www.bleepingcomputer.com/ne...al-remote-authentication-bypass-on-7-routers/

I recommend you consider upgrading to the RT-AX86U Pro or another Asus router with 3.0.0.6 series firmware.

Update: The last firmware already mitigated this CVE-2024-3080. But it was added to the release notes after the original release...
 
Last edited:
ASUS warns of critical remote authentication bypass on seven routers including the End of Life RT-AC68U which will not be updated if they follow their policy.

See: https://www.bleepingcomputer.com/ne...al-remote-authentication-bypass-on-7-routers/

I recommend you consider upgrading to the RT-AX86U Pro or another Asus router with 3.0.0.6 series firmware.
Seems to be already fixed in this very release. Don't know why it wasn't listed in post #1, but it's included now.
ASUS RT-AC68U Firmware version 3.0.0.4.386_51685
Version 3.0.0.4.386_51685
98.85 MB
2024/04/15
- Fixed CVE-2024-3079 and CVE-2024-3080. Thanks to the contribution of swing from Chaitin Security Research Lab.
- Fixed command injection vulnerability.
- Fixed the ARP poisoning vulnerability. Thanks to the contribution of Xin'an Zhou.
- Fixed code execution in custom OVPN. Thanks to the contrubution of Jacob Baines.
- Fixed the injection vulnerability in AiCloud.
- Fixed stack buffer overflow in lighttpd. Special thanks to Viktor Edstrom.
- Fixed CVE-2023-35720
- Fixed the code execution vulnerability in AiCloud. Thanks to the contribution of chumen77.
- Fixed the XSS and Self-reflected HTML injection vulnerability. Thanks to the contrubution of Redfox Cyber Security.
 
Seems to be already fixed in this very release. Don't know why it wasn't listed in post #1, but it's included now.
Sorry, I missed that. It was added to the release notes after the original release...
 
Last edited:
The RT-AC86U is listed as one of the 7 affected routers and yet the CVE-2024-3080 issue was fixed in the 29 March 2024 firmware release. In fact, all 7 hade this issue fixed in March and April, so don't understand why this is being reported on in June.
 
Last edited:
Where can these release notes be found? Nether the downloaded release changelog nor https://www.asuswrt-merlin.net/changelog mention this
This thread is discussing ASUS RT-AC68U Firmware version 3.0.0.4.386_51685 (2024/04/15) not the Asus-Merlin firmware.
ASUS RT-AC68U Firmware version 3.0.0.4.386_51685
Version 3.0.0.4.386_51685
98.85 MB
2024/04/15
- Fixed CVE-2024-3079 and CVE-2024-3080. Thanks to the contribution of swing from Chaitin Security Research Lab.
- Fixed command injection vulnerability.
- Fixed the ARP poisoning vulnerability. Thanks to the contribution of Xin'an Zhou.
- Fixed code execution in custom OVPN. Thanks to the contrubution of Jacob Baines.
- Fixed the injection vulnerability in AiCloud.
- Fixed stack buffer overflow in lighttpd. Special thanks to Viktor Edstrom.
- Fixed CVE-2023-35720
- Fixed the code execution vulnerability in AiCloud. Thanks to the contribution of chumen77.
- Fixed the XSS and Self-reflected HTML injection vulnerability. Thanks to the contrubution of Redfox Cyber Security.

*Please be advised that due to a security upgrade in AiMesh, we strongly recommend against downgrading to previous firmware versions, as this may lead to connection issues. Should you encounter any difficulties, resetting the AiMesh router to its default settings and re-establishing the mesh connection can resolve the problem.

Please unzip the firmware file, and then verify the checksum.
SHA256: aded7987b384440cffc24755a9e5005d09174bf4d2836ba8e50c3bca8866b755
PS: And from the Asus Product Security Advisory page:
06/14/2024 XT8, XT8_V2, RT-AX88U, RT-AX58U, RT-AX57, RT-AC86U, RT-AC68U security update notice for CVE-2024-3079 and CVE-2024-3080

ASUS has released a new firmware update for the XT8, XT8_V2, RT-AX88U, RT-AX58U, RT-AX57, RT-AC86U, RT-AC68U

We advise you to check your equipment and security procedures regularly, as this will make you safer. As a user of an ASUS router, we recommend doing the following steps:

• Update your router with the newest firmware. We encourage you to do this when new firmware becomes available. You can find the newest firmware on the ASUS support page at
https://www.asus.com/support/ or the relevant product page at
https://www.asus.com/Networking/. ASUS has provided a link to new firmware for some routers at the end of this notice.
• Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service.

If you are not able to update the firmware quickly, please make sure that both your login and WiFi passwords are strong. It is recommended (1) disable any services that can be reached from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger. (2) passwords have more than 10 characters with a variety of capitalized letters, numbers, and special characters to increase the security level of your devices. Do not use passwords with consecutive numbers or letters, such as 1234567890, abcdefghij, or qwertyuiop."

For further help with router setup and an introduction to network security, please visit

Model name Support Site link
XT8 and XT8_V2 https://www.asus.com/uk/supportonly/asus zenwifi ax (xt8)/helpdesk_bios/
RT-AX88U https://www.asus.com/supportonly/RT-AX88U/helpdesk_bios/
RT-AX58U https://www.asus.com/supportonly/RT-AX58U/helpdesk_bios/
RT-AX57 https://www.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax57/helpdesk_bios
RT-AC86U https://www.asus.com/supportonly/RT-AC86U/helpdesk_bios/
RT-AC68U https://www.asus.com/supportonly/RT-AC68U/helpdesk_bios/
What is confusing some is the fact that this firmware update which contains the fix(s) for CVE-2024-3079 and CVE-2024-3080 has been out for several months for the seven mentioned routers, but is only now being mentioned by BleepingComputer and Asus.

As for the Asus-Merlin firmware for the seven mentioned routers, see here:
https://www.snbforums.com/threads/i...f-us-using-merlin-firmware.90598/#post-913315
 
Last edited:
I don't see it on the FW details either.
Look up ONE post from yours where I pasted exactly what Asus posted on their RT-AC68U firmware download page. The referenced CVE (PS: CVE-2024-3080) is specifically mentioned in the first line after the firmware version, size and release date.
 
Last edited:
Any thoughts on why the RT-AC66U B1, which is supposedly the same hardware as the RT-AC68U but in a different form factor, isn't listed as impacted by the security issue?
The most recent firmware for it has the same version number (3.0.0.4.386_51685), but doesn't mention the fixing of those critical CVEs (namely "Fixed CVE-2024-3079 and CVE-2024-3080.").
 
Look up ONE post from yours where I pasted exactly what Asus posted on their RT-AC68U firmware download page. The referenced CVE (PS: CVE-2024-3080) is specifically mentioned in the first line after the firmware version, size and release date.
If you follow the comment thread of my responses, I was not asking about 3080. Thanks all the same.

Colin above answered me as the 0401 was listed under the copvn line.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top