Is this a concern for those of us using Merlin firmware? (CVE-2024-3080)

Ripshod · Jun 22, 2024

More likely to reiterate that that CVE is fixed, after all the knee-jerk reactions after certain articles were posted.

JIPG · Jul 5, 2024

After many posts, it seems that the OP question is not answered yet. There are new fw from ASUS for the affected routers (end od March), but the last GPL merged by RMerlin n the 388 line is from January, so it is very unlikely that It includes the patches.

I do not know if other changes in some components are related to that, but it seems also very unlikely due to the type of vulnerability.

So, if nobody has arguments against, we should consider that we are exposed and It is recommended to follow the ASUS advice in case you cannot update the firmware (typically avoiding the exposure to external access).

jerry6 · Jul 5, 2024

JIPG said:
After many posts, it seems that the OP question is not answered yet. There are new fw from ASUS for the affected routers (end od March), but the last GPL merged by RMerlin n the 388 line is from January, so it is very unlikely that It includes the patches.

I do not know if other changes in some components are related to that, but it seems also very unlikely due to the type of vulnerability.

So, if nobody has arguments against, we should consider that we are exposed and It is recommended to follow the ASUS advice in case you cannot update the firmware (typically avoiding the exposure to external access).

it has been answered 10 times you just refuse to read it and accept it

RMerlin · Jul 5, 2024

JIPG said:
So, if nobody has arguments against, we should consider that we are exposed and It is recommended to follow the ASUS advice in case you cannot update the firmware (typically avoiding the exposure to external access).

I am not discussing details of a security issue when the information are still confidential and not published in the public CVE.

All I can state is that 3006.102.1, 3004.388.8 and 386.14 are NOT affected by this.

laracroftonline · Jul 5, 2024

people really need to stop worrying if they are on merlin firmware. he usually uses the latest of everything he can update. he also pushes out alphas or betas as soon as there is a vulnerability that he can patch.

bennor · Jul 5, 2024

JIPG said:
After many posts, it seems that the OP question is not answered yet.

It has been answered or addressed a number of times in various discussions posted about the CVE's referenced in the article. For example:
(edit: erroneously linked quote from last year dealing with two other CVE's)
In addition to RMerlin's response above.

JIPG · Jul 5, 2024

RMerlin said:
I am not discussing details of a security issue when the information are still confidential and not published in the public CVE.

All I can state is that 3006.102.1, 3004.388.8 and 386.14 are NOT affected by this.

Fair answer. Closing the discussion.

JIPG · Jul 5, 2024

bennor said:
It has been answered or addressed a number of times in various discussions posted about the CVE's referenced in the article. For example:
https://www.snbforums.com/threads/a...cal-router-vulnerabilities.85553/#post-849841

In addition to RMerlin's response above.

Sorry, you are pointing to a one year ago post, so no related.

jerry6 · Jul 6, 2024

JIPG said:
Sorry, you are pointing to a one year ago post, so no related.

no you just refuse to accept it is over and done , accept it and be done with it

JIPG · Jul 6, 2024

jerry6 said:
no you just refuse to accept it is over and done , accept it and be done with it

Please, see my answer to RMerlin two post above ...