What's new

Is this a concern for those of us using Merlin firmware? (CVE-2024-3080)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

n2ubp

Occasional Visitor
Is this a concern for those of us using Merlin firmware?

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.


The flaw, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”), is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device.


ASUS says the issue impacts the following router models:


  • XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 system offering tri-band coverage with speeds up to 6600 Mbps, AiMesh support, AiProtection Pro, seamless roaming, and parental controls.
  • XT8_V2 (ZenWiFi AX XT8 V2) – Updated version of the XT8, maintaining similar features with enhancements in performance and stability.
  • RT-AX88U – Dual-band WiFi 6 router with speeds up to 6000 Mbps, featuring 8 LAN ports, AiProtection Pro, and adaptive QoS for gaming and streaming.
  • RT-AX58U – Dual-band WiFi 6 router providing up to 3000 Mbps, with AiMesh support, AiProtection Pro, and MU-MIMO for efficient multi-device connectivity.
  • RT-AX57 – Dual-band WiFi 6 router designed for basic needs, offering up to 3000 Mbps, with AiMesh support and basic parental controls.
  • RT-AC86U – Dual-band WiFi 5 router with speeds up to 2900 Mbps, featuring AiProtection, adaptive QoS, and game acceleration.
  • RT-AC68U – Dual-band WiFi 5 router offering up to 1900 Mbps, with AiMesh support, AiProtection, and robust parental controls.

 
Please use the forum search, this BleepingComputer article has already been posted several times, and the CVE-2024-3080 has been discussed in an earlier post on the 386.13 firmware.
https://www.snbforums.com/threads/a...ilable-for-ac-models.89583/page-3#post-906797
Merlin's 386.13 is based on GPL 386_51997, which is newer than Asus latest version. So these vulnerability fixes should be included.
@RMerlin Am I correct with this statement?
I don't know as I have no idea what specific code changes these fixes are. Some of these aren't even relevant to Asuswrt-Merlin (such as the OpenVPN fixes - we don't use the same OpenVPN code). Asus' releases aren't linear and come from multiple parallel branches, I have absolutely no idea what code comes from what branches.

People ask me the same question over and over every time Asus issues a new release...
 
Last edited:
No Merlin FW takes care of security updates well before Asus gets around to updating it . That is why I use Merlin on all my routers , always have
 
ASUS has released a new firmware update that addresses a vulnerability impacting seven router models
Where? No update for mine, apparently I have to wait. Another case of Asus making false claims?
 
Where? No update for mine, apparently I have to wait. Another case of Asus making false claims?
Do you have one of the seven routers listed? For the seven routers listed they've all have firmware released to patch CVE-2024-3080.
XT8: Version 3.0.0.4.388_24621 2024/03/19
XT8_V2:Version 3.0.0.4.388_24621 2024/03/19
RT-AX88U: Version 3.0.0.4.388_24209 2024/03/29
RT-AX58U: Version 3.0.0.4.388_24762 2024/04/12
RT-AX57: Version 3.0.0.4.386_52303 2024/04/08
RT-AC86U: Version 3.0.0.4.386_51925 2024/03/29
RT-AC68U: Version 3.0.0.4.386_51685 2024/04/15
 
I knew it sounded familiar. The way the OP is worded it reads like something new, particularly the second paragraph
 
That's because this article was posted today in multiple media blogs like it was something brand new, no mention of it being corrected months ago (at least for us!).
Like you, I read this today and from the article date, assumed it was 'new'.

As discussed, it's been fixed for some time, but double checking security isn't a bad thing.
 
Please use the forum search, this BleepingComputer article has been posted several previous times to several different areas of the Asus subforum. Asus has already released updated firmware for those seven affected routers in March/April of this year.

The firmware version for the seven affected routers that contain the security patch for the specific CVE-2024-3080 mentioned in the article:
XT8: 3.0.0.4.388_24621 - 2024/03/19
XT8_V2: 3.0.0.4.388_24621 - 2024/03/19
RT-AX88U: 3.0.0.4.388_24209 - 2024/03/29
RT-AX58U: 3.0.0.4.388_24762 - 2024/04/12
RT-AX57: 3.0.0.4.386_52303 - 2024/04/08
RT-AC86U: 3.0.0.4.386_51925 - 2024/03/29
RT-AC68U: 3.0.0.4.386_51685 - 2024/04/15

Earlier posts about this BleepingComputer article:
https://www.snbforums.com/threads/a...-0-0-4-386_51685-2024-04-15.89692/post-913294
 
Last edited:
This is why Skynet is a godsend

Skynet uses publicly accessible and visible blocklists. It's a matter of minutes to check what's there and hit you from a different IP. Community generated blocklists may eventually react in 24h or slower. What some people don't understand is exposed Internet security method is the easiest one to go around. What works for you works for the malicious actors as well. Makes it even easier with your IPv6 enabled, you won't even notice. Skynet is IPv4 only.
 
Skynet uses publicly accessible and visible blocklists. It's a matter of minutes to check what's there and hit you from a different IP. Community generated blocklists may eventually react in 24h or slower. What some people don't understand is exposed Internet security method is the easiest one to go around. What works for you works for the malicious actors as well. Makes it even easier with your IPv6 enabled, you won't even notice. Skynet is IPv4 only.
(Ohh, look at you discovering how to make QR codes! Good job)

you're increasingly sounding like a guy on youtube a friend keeps pointing me towards who lives on his boat in international waters off the US somewhere...Rob braxman I think...I'll have to look him up

I take your point, but that sort of attack seems targeted and I'd wager malicious actors are much more inclined to spray everywhere like a shotgun for maximum effect.

We really have to stop with the balloon bursting with bb guns. Can we agree that something is better than nothing, and that "best practices" vary by situation?
 
Limited understanding of how things work increases the level of trust in whatever is presented as possible solution to the problem.
 
Interestingly, ASUS is mentioning this Vulnerability to be fixed also in the latest firmware update for the RT-AX86 Series routers, released on the 13th of May 2024.
ASUS RT-AX86 Series(RT-AX86U/RT-AX86S) Firmware version 3.0.0.4.388_24243
Version 3.0.0.4.388_24243
71.49 MB
2024/05/13
.
.
.
- Fixed CVE-2024-3079 and CVE-2024-3080. Special thanks to Weiming Shi
Is this just an error from ASUS by copying release notes information from other router models ?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top