This may have been discussed in some detail here: https://www.snbforums.com/threads/merlin-firmware-and-cve-security-patches.85764/
but I have yet to find a definite answer to the following question:
If I compare the latest Asuswrt stock firmware 3.0.0.4.386.51665 from https://www.asus.com/networking-iot...ers/rtac68u/helpdesk_bios/?model2Name=RTAC68U
with Merlin's latest 386.11 changelog from https://www.asuswrt-merlin.net/node/14
it seems that Merlin's GPL being used is 386_50757, which is a bit older than the stock 386_51665. In fact it is older than the last 2 stock ASUS versions.
Listing them in GPL version order with the largest version first, we get something like:
ASUS 3.0.0.4.386.51665 - 2023/05/11
ASUS 3.0.0.4.386.51255 - 2023/03/02
Merlin 386.11 (386.50757) - 2023/05/14
ASUS 3.0.0.4.386.49703 - 2022/07/20
So the last 2 ASUS versions (top 2 in the list) seem to be newer than the GPL used in Merlin's 386.11. And if I list the fixes in them, it's actually quite extensive:
Version 3.0.0.4.386.51665 - 2023/05/11
------------------------------------------
Bug fixes and functionality modifications:
-Resolved the issue with login and password changes.
-Fixed the issue where Traffic Analyzer sometimes couldn't record data.
Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.
-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.
-Fixed the vulnerability in the logmessage function CVE-2023-35086/ CVE-2023-35087.
Version 3.0.0.4.386.51255 - 2023/03/02
------------------------------------------
1. Fixed HTTP response splitting vulnerability.
2. Fixed Samba related vulerabilities.
3. Fixed cfg server security issues.
4. Fixed Open redirect vulnerability.
5. Fixed token authentication security issues.
6. Fixed security issues on the status page.
7. Fixed XSS vulnerability.
8. Fixed CVE-2022-26376
9. Fixed CVE-2018-1160
10. Fixed IPv6-related bugs.
11. Added a new login URL http://www.asusrouter.com to fixed the login issues.
12. Optimize the AiMesh web interface
13. Fixed network map UI bugs
14. Fixed bugs related to Wi-Fi calling.
15. Supported web history record exported.
16. Fixed IPSec VPN server compatibility with Windows 10 VPN client.
17. Improved AiMesh connection stability.
18. Fixed IPTV issues.
19. Fixed CVE-2022-35401 authentication bypass vulnerability.
20. Fixed CVE-2022-38105 information disclosure vulnerability in CM process.
21. Fixed CVE-2022-38393 DoS vulnerability in cfg_server.
So my question would be: how many of these are included in Asuswrt-Merlin? If not all of them, then how can we find out which ones are missing and if so, how big of a security issue is it?
Sorry if this has been asked before, but I really can't find a clear answer to this on the forum, so I'm very much still wondering whether all security vulnerabilities have been fixed/handled by Merlin in 386.11.
If the vulnerabilities listed above haven't been taken care of by Merlin, I would really like to know what is the hold up in releasing a newer 386.12 that would be based on the latest GPL from ASUS, after 386_51665 from 2023/05/11. A more recent GPL must have been made available I suppose by ASUS, almost 3 months have passed since then...
PS: Please don't tell me to purchase another/newer router. The AC68U still fits my needs hardware-wise, so I'm only interested in discussing the firmware that is or should be running on it from a security point of view. Thanks!
but I have yet to find a definite answer to the following question:
If I compare the latest Asuswrt stock firmware 3.0.0.4.386.51665 from https://www.asus.com/networking-iot...ers/rtac68u/helpdesk_bios/?model2Name=RTAC68U
with Merlin's latest 386.11 changelog from https://www.asuswrt-merlin.net/node/14
it seems that Merlin's GPL being used is 386_50757, which is a bit older than the stock 386_51665. In fact it is older than the last 2 stock ASUS versions.
Listing them in GPL version order with the largest version first, we get something like:
ASUS 3.0.0.4.386.51665 - 2023/05/11
ASUS 3.0.0.4.386.51255 - 2023/03/02
Merlin 386.11 (386.50757) - 2023/05/14
ASUS 3.0.0.4.386.49703 - 2022/07/20
So the last 2 ASUS versions (top 2 in the list) seem to be newer than the GPL used in Merlin's 386.11. And if I list the fixes in them, it's actually quite extensive:
Version 3.0.0.4.386.51665 - 2023/05/11
------------------------------------------
Bug fixes and functionality modifications:
-Resolved the issue with login and password changes.
-Fixed the issue where Traffic Analyzer sometimes couldn't record data.
Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.
-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.
-Fixed the vulnerability in the logmessage function CVE-2023-35086/ CVE-2023-35087.
Version 3.0.0.4.386.51255 - 2023/03/02
------------------------------------------
1. Fixed HTTP response splitting vulnerability.
2. Fixed Samba related vulerabilities.
3. Fixed cfg server security issues.
4. Fixed Open redirect vulnerability.
5. Fixed token authentication security issues.
6. Fixed security issues on the status page.
7. Fixed XSS vulnerability.
8. Fixed CVE-2022-26376
9. Fixed CVE-2018-1160
10. Fixed IPv6-related bugs.
11. Added a new login URL http://www.asusrouter.com to fixed the login issues.
12. Optimize the AiMesh web interface
13. Fixed network map UI bugs
14. Fixed bugs related to Wi-Fi calling.
15. Supported web history record exported.
16. Fixed IPSec VPN server compatibility with Windows 10 VPN client.
17. Improved AiMesh connection stability.
18. Fixed IPTV issues.
19. Fixed CVE-2022-35401 authentication bypass vulnerability.
20. Fixed CVE-2022-38105 information disclosure vulnerability in CM process.
21. Fixed CVE-2022-38393 DoS vulnerability in cfg_server.
So my question would be: how many of these are included in Asuswrt-Merlin? If not all of them, then how can we find out which ones are missing and if so, how big of a security issue is it?
Sorry if this has been asked before, but I really can't find a clear answer to this on the forum, so I'm very much still wondering whether all security vulnerabilities have been fixed/handled by Merlin in 386.11.
If the vulnerabilities listed above haven't been taken care of by Merlin, I would really like to know what is the hold up in releasing a newer 386.12 that would be based on the latest GPL from ASUS, after 386_51665 from 2023/05/11. A more recent GPL must have been made available I suppose by ASUS, almost 3 months have passed since then...
PS: Please don't tell me to purchase another/newer router. The AC68U still fits my needs hardware-wise, so I'm only interested in discussing the firmware that is or should be running on it from a security point of view. Thanks!
Last edited:
