Asuswrt-Merlin is NOT vulnerable to any of the new SSLv2 flaws

[RMerlin]

Asuswrt-Merlin is not vulnerable to any of the new OpenSSL flaws that target the old SSLv2 protocol, as SSLv2 (and v3) support has been disabled in Asuswrt-Merlin since late 2014:

https://github.com/RMerl/asuswrt-merlin/commit/653dc8c5b0d45c13c41d5402cbd7e89121ad1dd9
https://github.com/RMerl/asuswrt-merlin/commit/5bb4c10519f854396e19e3646fa2d47122d79422

So, no need to panic, just make sure you run a firmware that isn't over 12 months old.

(stickying this for a week or two while the storm rolls)

 

[Deleted member 22229]

Does the same go for recent Asus stock firmware ?

 

[RMerlin]

Does the same go for recent Asus stock firmware ?

I know their https no longer uses SSLv2/v3 either (they merged my mssl library changes at the same time they upgraded to OpenSSL 1.0.2). I don't remember however if their Makefile also explicitly disable it in the openssl library itself. If they don't, then the two potential vectors of attack would be AiCLoud (need to check how they configured lighttpd) and OpenVPN (does OpenVPN even supports SSLv2 at all? I don't know).

 

[RMerlin]

AiCloud is also safe in stock FW. From write_webdav_conf:

  fprintf(fp, "  ssl.use-sslv2=\"disable\"\n");
  fprintf(fp, "  ssl.use-sslv3=\"disable\"\n");

 

[Deleted member 22229]

Thanks Merlin good to know.

 

[bayern1975]

What about OpenVPN? It must be very safe....a lots of peoples using it....so, are we safe?

sent from Kodi 17 Krypton

 

[Veldkornet]

In case no one reads the news, like me... Here's some news about it

Cross-protocol attack on TLS using SSLv2
More than 11 million HTTPS websites imperiled by new decryption attack
One-third of all HTTPS websites open to DROWN attack - Hackers can break TLS using SSLv2
The Drown Attack

 

[RMerlin]

What about OpenVPN? It must be very safe....a lots of peoples using it....so, are we safe?

sent from Kodi 17 Krypton

There's no SSLv2 support _at all_ in Asuswrt-Merlin. It's disabled right in the OpenSSL library itself.

 

[RMerlin]

And apparently OpenVPN only supports tls 1.0 and up - no support for SSLv2 or SSLv3.

 

[Rango]

Merlin how secure are asus routers or more specific it's source code vs pfsesne firewall for example for someone with knowledge how to hack to get past them. I'm more interested if it's easy for let's say NSA to hack, get into asus router vs pfsense for example. Maybe a silly question but would appreciate expert answer. Thank you in adavnace.

 

[sfx2000]

AiCloud is also safe in stock FW. From write_webdav_conf:

Someone should check w/Asus to ensure that the server side components are safe... AiCloud, Asus DDNS, etc...

 

[Nullity]

Merlin how secure are asus routers or more specific it's source code vs pfsesne firewall for example for someone with knowledge how to hack to get past them. I'm more interested if it's easy for let's say NSA to hack, get into asus router vs pfsense for example. Maybe a silly question but would appreciate expert answer. Thank you in adavnace.

This is a question that is impossible to answer.

Anyway, the biggest threat to security, most of the time, will be the user. Reading some introductory books on the topics of firewalling & networking might be a good start.


AFAIK, RMerlin uses an Asus RT-AC88U as the primary router in his own house, which might answer part of your question.

 

[sfx2000]

This is a question that is impossible to answer.

Anyway, the biggest threat to security, most of the time, will be the user. Reading some introductory books on the topics of firewalling & networking might be a good start.

AFAIK, RMerlin uses an Asus RT-AC88U as the primary router in his own house, which might answer part of your question.

I would tend to agree - there's no such thing as "perfect" code - and there are bugs in every OS that have been around for years - most of them are unintentional... whether it's this SSLv2 bug, which, while serious, is actually an extension of a very old bug - the glibc scare last week - same thing, it's been there for years...