What's new

ASUS urges customers to patch critical router vulnerabilities

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

XIII

Very Senior Member
“ASUS urges customers to patch critical router vulnerabilities”:


(Was this already posted somewhere?)

“The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.”

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today.
 
And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.
 
And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.
I wouldnt be too worried. I have none of WAN related access enabled. Maybe people that have should take precautions.
 
And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.
Not quite true - one of the listed CVEs specifically refers to versions prior to Asus Merlin 386.7 so that one is covered.

I am curious about the other though. Does netatalk not exist in the 386 build or is this another sign of the creep towards the remaining AC models being EOLd?
 
And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.
IMG_2200.jpeg

Seems @ColinTaylor is into something. Merlin has actually been safer for a while… or bleeping computer is referencing the wrong CVEs. Wouldn’t be the first time.
 
If RMerlin firmware required these fixes, we'd have a point 1 release soon, if not today already.

Security-wise, RMerlin is ahead of Asus stock, more times than not.
 
And a good reason people should be using Stock Asus firmware at least till Merlin can catch up. His latest does not contain any of these security fixes.
That's incorrect. The two CVEs singled out on that article were actually fixed a year ago, for instance... If you read up the CVE bulletin, it even mentions that that one was fixed as early as in 386.7.
 
remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,
It is interesting that in the list we have VPN server and port forwarding. I am curious how they might be vulnerable. This at least breaks my strong believe in the Rule #1: "the only port open to the WAN shall be the port OpenVPN server is listening on". The believe that any vulnerability of the OpenVPN server is a matter of OpenVPN code itself only is fundamental for my understanding of router security. If there is a possibilty for vulnerability related to the router FW itself and unrelated to the OpenVPN code, the game rules should be fundamentally changed ...
 
It is interesting that in the list we have VPN server and port forwarding. I am curious how they might be vulnerable. This at least breaks my strong believe in the Rule #1: "the only port open to the WAN shall be the port OpenVPN server is listening on". The believe that any vulnerability of the OpenVPN server is a matter of OpenVPN code itself only is fundamental for my understanding of router security. If there is a possibilty for vulnerability related to the router FW itself and unrelated to the OpenVPN code, the game rules should be fundamentally changed ...

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today.
When I read this Asus' statement lost a lot of credibility. Rather than publicly admitting there's a known problem with a particular feature(s) they appear to be trying to obfuscate the issue with a non-specific "just disable all remote access". Maybe I'm being too cynical and Asus are merely too lazy to provide any detailed information.
 
Maybe I'm being too cynical and Asus are merely too lazy to provide any detailed information.
My personal guess is that there's a lawyer involved, having them cover their butt in every possible way they can imagine.

Port forward and VPN for instance isn't because of a flaw in these two, but because by giving a remote user LAN access, they could then exploit a LAN-only security issue of the router itself. Yes, it's stretching things to the limit, but that's what lawyers are known for...
 
Lawyers was my thought too - especially if there happened to be an honest technical person in the room that happens to mention a hypothetical scenario that's is technically possible.

Lawyers thought process will be "I don't understand that but let's add it to the disclaimer so we can't be blamed"...
 
What firmware the users have to upgrade to? Is a new one coming soon with all the fixes listed? Not very clear.

RT-AX86U as an example has a firmware month old. People who know some more than average users and want more precise application based parental controls may want to disable QUIC. Otherwise more and more traffic is recognized as QUIC only and not filtered. The Network Services filter is broken on 388_23285 though. They have to stay on the previous firmware 388_22525 - four months old. Upgrade is a good advice, but bugs have to be cleared out first.
 
When I look at the CVE’s in this long list along with the long list of affected models, there’s something not right. Most of those CVE were fixed awhile ago. There has been a lot of firmware updates today so that seems a bit strange too and out of norm.
 
There has been a lot of firmware updates today so that seems a bit strange too and out of norm.
Really? I only see one new firmware update. All the others are old.

GT6 - 2023/05/18
GT-AXE16000 - 2023/04/19
GT-AX11000 Pro - 2023/05/15
GT-AXE11000 - 2023/06/19
GT-AX6000 - 2023/05/12
GT-AX11000 - 2023/05/31
GS-AX5400 - 2023/04/18
GS-AX3000 - 2023/04/19
XT9 - 2023/05/15
XT8 - 2023/05/15
XT8 V2 - 2023/05/15
RT-AX86U Pro - 2023/05/11
RT-AX86U/RT-AX86S - 2023/05/15
RT-AX82U - 2023/05/25
RT-AX58U - 2023/05/31
RT-AX3000 - 2023/05/31
TUF-AX6000 - 2023/04/18
TUF-AX5400 - 2023/05/18
 
Really? I only see one new firmware update. All the others are old.

GT6 - 2023/05/18
GT-AXE16000 - 2023/04/19
GT-AX11000 Pro - 2023/05/15
GT-AXE11000 - 2023/06/19
GT-AX6000 - 2023/05/12
GT-AX11000 - 2023/05/31
GS-AX5400 - 2023/04/18
GS-AX3000 - 2023/04/19
XT9 - 2023/05/15
XT8 - 2023/05/15
XT8 V2 - 2023/05/15
RT-AX86U Pro - 2023/05/11
RT-AX86U/RT-AX86S - 2023/05/15
RT-AX82U - 2023/05/25
RT-AX58U - 2023/05/31
RT-AX3000 - 2023/05/31
TUF-AX6000 - 2023/04/18
TUF-AX5400 - 2023/05/18
Just looking at forum posts from today I see
Ax86u pro, gtax6000, ax3000, xt12
Might be one or two more, someone mentioned 88u pro but it may have been pulled be he has screenshot showing it.
ax58 shows 6/15 date but matches descriptions of 6/20.
TUF-AX6000
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top