ASUS RT-AC87U / FW Merlin 384.13_10 vulnerable due to dnsmasq?

[JIPG]

I have seen that, as for other ASUS routers, there is a new beta FW for the RT AC87U that solves a lot of vulnerabilities. Are these ones related to the dnsmasq problem?:
CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686

If the answer is YES, then it should be recommended to install the ASUS Beta and remove forever the Merlin FW 384.13_10, or on the other hand, the Merlin FW is not affected?

If some can add some light on it, I will be very grateful. I would like to continue using the Merlin FW, but if it is a high risk, I will have no other option than installing the ASUS Beta.

 

[taffeys]

As stated by ASUS in the notes for firmware version 9.0.0.4.382.52503 Beta Version released on 2021/02/02 "Please be noted this is a quick fix beta version for DNSmasq vulnerabilities."

 

[JIPG]

As stated by ASUS in the notes for firmware version 9.0.0.4.382.52503 Beta Version released on 2021/02/02 "Please be noted this is a quick fix beta version for DNSmasq vulnerabilities."

Thank you for the quick replay!.

Then, the next question is if the older dnsmasq version in Merlin FW is affected ...

 

[taffeys]

It must be:

384.13_8 (26-Apr-2020)
This release is only available for the RT-AC87U and RT-AC3200.

UPDATED: dnsmasq to 2.81-openssl (themiron)

386.1 (30-Jan-2021)

UPDATED: dnsmasq to 2.84, resolving CVE-2020-25681,
CVE-2020-25682, CVE-2020-25683, CVE-2020-25687,
CVE-2020-25684, CVE-2020-25685 and
CVE-2020-25686 aka DNSpooq (themiron)

 

[JIPG]

It must be:

384.13_8 (26-Apr-2020)
This release is only available for the RT-AC87U and RT-AC3200.

- UPDATED: dnsmasq to 2.81-openssl (themiron)

386.1 (30-Jan-2021)

UPDATED: dnsmasq to 2.84, resolving CVE-2020-25681,
CVE-2020-25682, CVE-2020-25683, CVE-2020-25687,
CVE-2020-25684, CVE-2020-25685 and
CVE-2020-25686 aka DNSpooq (themiron)

OK then. My doubt was if the vulnerabilities were introduced in recent versions of dnsmasq or they were there from the beginning ...

Then, it is time to install the ASUS beta. It is a pity to loose the Merlin FW, but the security is first.

 

[L&LD]

@JIPG I agree with your assessment, but for myself, I would wait until Asus releases this properly.

Many have been burnt with pulled firmware (stable), let alone Beta releases from them.

 

[JIPG]

@JIPG I agree with your assessment, but for myself, I would wait until Asus releases this properly.

Many have been burnt with pulled firmware (stable), let alone Beta releases from them.

I would like to do it, but the RT AC87U is not longer maintained my RMerlin, as it is not in the same code base than the others ...

 

[L&LD]

There is nothing to 'do' right now. Wait until Asus takes these fixes out of Beta status with a stable firmware.

 

[JIPG]

Is it a problem if I use it as AP instead of main router? (I am a total noob, so I do not know if dnsmasq plays any role in AP mode).

 

[L&LD]

If you're using it only in AP or Media Bridge mode, no problem. Stay on the RMerlin branch instead.

 

[JIPG]

OK, this can be the solution just now, as I have just bought a new AX88U (I waited until FW 386.1 was released ).
My intention was to reuse the AC87U in another place as main router, because it cannot be used as a node in AiMesh, but at least it can replace an old TPlink I have as AP.

It is a pity, because the AC87U was my first "real" (=powerfull) router and it has been working nicely under these demanding times when the whole family has been working/studying remotely, and using it as AP seems to be a killer, but the AX88U is a good upgrade.

 

[GSpock]

OK then. My doubt was if the vulnerabilities were introduced in recent versions of dnsmasq or they were there from the beginning ...

Then, it is time to install the ASUS beta. It is a pity to loose the Merlin FW, but the security is first.

In the same situation with my AC87U: installed Merlin as of day 1, so no experience at all with ASUS fw, and router has been very stable & performant. Now, I had a look at those CVE and honestly it is chineese for me . so quite difficult to assess the real risk for me.

I am using some /jffs/script (cron), OpenVpn clients, OpenVPN Server(s) and accessing the router via SSH. Are those funcrionanlities working in ASUS fw?

Any chances that @RMerlin provides a fix just for these ?

Rgds,
GS

 

[RMerlin]

Any chances that @RMerlin provides a fix just for these ?

No. I gave ample early warning about the discontinuation of this model, and it was discontinued last year. If I draw a line in the sand as to how long I intend to support a device and then I constantly start releasing more fixes, then it would be meaningless and never ending.

I have moved on to other models. I don't have the time or resources to support multiple separate firmware branches for outdated models that cannot be run with my current code. I did it for a while last year, and it was absolute hell. It led me to put a stop on all development for a few months, until Asus reunited at least their current models into a common code base.

Anyone could fork out the 384_10 code and continue releasing security updates if they wished. That's why it's open sourced. Someone else can take care of it, as I can't.

 

[GSpock]

No. I gave ample early warning about the discontinuation of this model, and it was discontinued last year. If I draw a line in the sand as to how long I intend to support a device and then I constantly start releasing more fixes, then it would be meaningless and never ending.

I have moved on to other models. I don't have the time or resources to support multiple separate firmware branches for outdated models that cannot be run with my current code. I did it for a while last year, and it was absolute hell. It led me to put a stop on all development for a few months, until Asus reunited at least their current models into a common code base.

Anyone could fork out the 384_10 code and continue releasing security updates if they wished. That's why it's open sourced. Someone else can take care of it, as I can't.

Thanks for you answer. What would be your recommendation for a replacement with the objective to have your software supported as long as possible ? (AX88, AX86, .. ?)
Rgds,
GS

 

[RMerlin]

Thanks for you answer. What would be your recommendation for a replacement with the objective to have your software supported as long as possible ? (AX88, AX86, .. ?)
Rgds,
GS

Depends on your specific needs and budget.

 

[GSpock]

Depends on your specific needs and budget.

Needs: I am using some /jffs/script (cron), OpenVpn clients, OpenVPN Server(s), heavy downloads sometimes, some basics port forward and accessing the router via SSH .. last but not least: Merlin supported as long as possible ;-)
Budget: around 250euros would be great but ready to put a little more if best quality/price.

 

[RMerlin]

If using OpenVPN, then I would look at the RT-AX86U, or if it's too expensive then the RT-AC86U.

 

[grifo]

In the same situation with my AC87U: installed Merlin as of day 1, so no experience at all with ASUS fw, and router has been very stable & performant. Now, I had a look at those CVE and honestly it is chineese for me . so quite difficult to assess the real risk for me.

You could install Unbound (which is easy thanks to the excellent unbound_manager script by @Martineau) as a workaround for these dnsmasq vulnerabilities and if other serious vulnerabilities don't come up too soon you could keep using your RT-AC87U until there's a good selection of wifi 6E routers, probably next year. Wifi 6E is the biggest wifi upgrade in years.

 

[mromero]

I have seen that, as for other ASUS routers, there is a new beta FW for the RT AC87U that solves a lot of vulnerabilities. Are these ones related to the dnsmasq problem?:
CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686

If the answer is YES, then it should be recommended to install the ASUS Beta and remove forever the Merlin FW 384.13_10, or on the other hand, the Merlin FW is not affected?

If some can add some light on it, I will be very grateful. I would like to continue using the Merlin FW, but if it is a high risk, I will have no other option than installing the ASUS Beta.

Merlin dropped support for the RT AC87U last year I think. I have one lying in my rubbish bin. I think I have Merlin firmware on it. The model used to run too hot for me, (same as the current Merlin latest on the RT AC86U) so I had it on a laptop cooler before I retired it.

The problem with DNSMASQ is easy to solve. Use the genuine beta Asus firmware, or keep Merlin's old firmware and patch it with UNBOUND. Better yet, keep your Asus router behind a commercial grade router that has UNBOUND and other goodies and no worries about Asus vulnerabilities as they develop.

 

[grifo]

Merlin dropped support for the RT AC87U last year I think. I have one lying in my rubbish bin. I think I have Merlin firmware on it. The model used to run too hot for me, (same as the current Merlin latest on the RT AC86U) so I had it on a laptop cooler before I retired it.

High temps aren't really a problem for these routers. My RT-AC87U has been running around 90 degrees Celsius for the 4 summers since I got it (spring 2017), it hasn't skipped a beat and it's still running as a champ. I'd bet it would have kept running for 5 more years if it weren't for the firmware, which is the real issue.