Is this a concern for those of us using Merlin firmware? (CVE-2024-3080)

[n2ubp]

Is this a concern for those of us using Merlin firmware?

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.


The flaw, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”), is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device.


ASUS says the issue impacts the following router models:

• XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 system offering tri-band coverage with speeds up to 6600 Mbps, AiMesh support, AiProtection Pro, seamless roaming, and parental controls.
• XT8_V2 (ZenWiFi AX XT8 V2) – Updated version of the XT8, maintaining similar features with enhancements in performance and stability.
• RT-AX88U – Dual-band WiFi 6 router with speeds up to 6000 Mbps, featuring 8 LAN ports, AiProtection Pro, and adaptive QoS for gaming and streaming.
• RT-AX58U – Dual-band WiFi 6 router providing up to 3000 Mbps, with AiMesh support, AiProtection Pro, and MU-MIMO for efficient multi-device connectivity.
• RT-AX57 – Dual-band WiFi 6 router designed for basic needs, offering up to 3000 Mbps, with AiMesh support and basic parental controls.
• RT-AC86U – Dual-band WiFi 5 router with speeds up to 2900 Mbps, featuring AiProtection, adaptive QoS, and game acceleration.
• RT-AC68U – Dual-band WiFi 5 router offering up to 1900 Mbps, with AiMesh support, AiProtection, and robust parental controls.

ASUS warns of critical remote authentication bypass on 7 routers

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.

www.bleepingcomputer.com

 

[bennor]

Please use the forum search, this BleepingComputer article has already been posted several times, and the CVE-2024-3080 has been discussed in an earlier post on the 386.13 firmware.
https://www.snbforums.com/threads/a...ilable-for-ac-models.89583/page-3#post-906797

Merlin's 386.13 is based on GPL 386_51997, which is newer than Asus latest version. So these vulnerability fixes should be included.
@RMerlin Am I correct with this statement?

I don't know as I have no idea what specific code changes these fixes are. Some of these aren't even relevant to Asuswrt-Merlin (such as the OpenVPN fixes - we don't use the same OpenVPN code). Asus' releases aren't linear and come from multiple parallel branches, I have absolutely no idea what code comes from what branches.

People ask me the same question over and over every time Asus issues a new release...

 

[jerry6]

No Merlin FW takes care of security updates well before Asus gets around to updating it . That is why I use Merlin on all my routers , always have

 

[Ripshod]

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models

Where? No update for mine, apparently I have to wait. Another case of Asus making false claims?

 

[ColinTaylor]

Where? No update for mine, apparently I have to wait. Another case of Asus making false claims?

It was patched back in the March update. So it's not a "new" update.

 

[bennor]

Where? No update for mine, apparently I have to wait. Another case of Asus making false claims?

Do you have one of the seven routers listed? For the seven routers listed they've all have firmware released to patch CVE-2024-3080.
XT8: Version 3.0.0.4.388_24621 2024/03/19
XT8_V2:Version 3.0.0.4.388_24621 2024/03/19
RT-AX88U: Version 3.0.0.4.388_24209 2024/03/29
RT-AX58U: Version 3.0.0.4.388_24762 2024/04/12
RT-AX57: Version 3.0.0.4.386_52303 2024/04/08
RT-AC86U: Version 3.0.0.4.386_51925 2024/03/29
RT-AC68U: Version 3.0.0.4.386_51685 2024/04/15

 

[Ripshod]

I knew it sounded familiar. The way the OP is worded it reads like something new, particularly the second paragraph

 

[n2ubp]

I knew it sounded familiar. The way the OP is worded it reads like something new, particularly the second paragraph

That's because this article was posted today in multiple media blogs like it was something brand new, no mention of it being corrected months ago (at least for us!).

 

[XIII]

That's because this article was posted today in multiple media blogs like it was something brand new, no mention of it being corrected months ago (at least for us!).

And that might be because ASUS itself reported it only 2 days ago (June 14):

ASUS Product Security Advisory | ASUS Global

www.asus.com

 

[northumberland]

That's because this article was posted today in multiple media blogs like it was something brand new, no mention of it being corrected months ago (at least for us!).

Like you, I read this today and from the article date, assumed it was 'new'.

As discussed, it's been fixed for some time, but double checking security isn't a bad thing.

 

[robinjoo1]

ASUS warns of critical remote authentication bypass on 7 routers

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.

www.bleepingcomputer.com

 

[bennor]

ASUS warns of critical remote authentication bypass on 7 routers

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.

www.bleepingcomputer.com

Please use the forum search, this BleepingComputer article has been posted several previous times to several different areas of the Asus subforum. Asus has already released updated firmware for those seven affected routers in March/April of this year.

The firmware version for the seven affected routers that contain the security patch for the specific CVE-2024-3080 mentioned in the article:
XT8: 3.0.0.4.388_24621 - 2024/03/19
XT8_V2: 3.0.0.4.388_24621 - 2024/03/19
RT-AX88U: 3.0.0.4.388_24209 - 2024/03/29
RT-AX58U: 3.0.0.4.388_24762 - 2024/04/12
RT-AX57: 3.0.0.4.386_52303 - 2024/04/08
RT-AC86U: 3.0.0.4.386_51925 - 2024/03/29
RT-AC68U: 3.0.0.4.386_51685 - 2024/04/15

Earlier posts about this BleepingComputer article:

Is this a concern for those of us using Merlin firmware? (CVE-2024-3080)

Is this a concern for those of us using Merlin firmware? ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices. The flaw, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”), is an...

www.snbforums.com

ASUS warns of critical remote authentication bypass on 7 routers

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices. The flaw, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”), is an authentication bypass vulnerability allowing unauthenticated, remote...

www.snbforums.com

https://www.snbforums.com/threads/a...-0-0-4-386_51685-2024-04-15.89692/post-913294

 

[robinjoo1]

i searched for asus update and lots of different terms but didnt find it

 

[bennor]

i searched for asus update and lots of different terms but didnt find it

A suggestion. Try searching for the CVE and see if there are posts. Often times people will post the specific CVE and ask if it has been patched. For example in this case CVE-2024-3080 yields a number of hits, including those earlier posts/threads, along with some discussion on it:
https://www.snbforums.com/search/1208769/?q=CVE-2024-3080&o=relevance

 

[jerry6]

And that might be because ASUS itself reported it only 2 days ago (June 14):

ASUS Product Security Advisory | ASUS Global

www.asus.com

SEEMS BILL Tolatetothegame is a bit slow reporting security updates

 

[heysoundude]

This is why Skynet is a godsend, and other tips here to harden the security of your routers/networks are important to follow as well.

 

[Tech9]

This is why Skynet is a godsend

Skynet uses publicly accessible and visible blocklists. It's a matter of minutes to check what's there and hit you from a different IP. Community generated blocklists may eventually react in 24h or slower. What some people don't understand is exposed Internet security method is the easiest one to go around. What works for you works for the malicious actors as well. Makes it even easier with your IPv6 enabled, you won't even notice. Skynet is IPv4 only.

 

[heysoundude]

Skynet uses publicly accessible and visible blocklists. It's a matter of minutes to check what's there and hit you from a different IP. Community generated blocklists may eventually react in 24h or slower. What some people don't understand is exposed Internet security method is the easiest one to go around. What works for you works for the malicious actors as well. Makes it even easier with your IPv6 enabled, you won't even notice. Skynet is IPv4 only.

(Ohh, look at you discovering how to make QR codes! Good job)

you're increasingly sounding like a guy on youtube a friend keeps pointing me towards who lives on his boat in international waters off the US somewhere...Rob braxman I think...I'll have to look him up

I take your point, but that sort of attack seems targeted and I'd wager malicious actors are much more inclined to spray everywhere like a shotgun for maximum effect.

We really have to stop with the balloon bursting with bb guns. Can we agree that something is better than nothing, and that "best practices" vary by situation?

 

[Tech9]

Limited understanding of how things work increases the level of trust in whatever is presented as possible solution to the problem.

 

[Geraner]

Interestingly, ASUS is mentioning this Vulnerability to be fixed also in the latest firmware update for the RT-AX86 Series routers, released on the 13th of May 2024.

ASUS RT-AX86 Series(RT-AX86U/RT-AX86S) Firmware version 3.0.0.4.388_24243
Version 3.0.0.4.388_24243
71.49 MB
2024/05/13
.
.
.
- Fixed CVE-2024-3079 and CVE-2024-3080. Special thanks to Weiming Shi

Is this just an error from ASUS by copying release notes information from other router models ?