What's new

Latest RT-AC68U Asuswrt stock vs Merlin security

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

KrypteX

Regular Contributor
This may have been discussed in some detail here: https://www.snbforums.com/threads/merlin-firmware-and-cve-security-patches.85764/
but I have yet to find a definite answer to the following question:
If I compare the latest Asuswrt stock firmware 3.0.0.4.386.51665 from https://www.asus.com/networking-iot...ers/rtac68u/helpdesk_bios/?model2Name=RTAC68U
with Merlin's latest 386.11 changelog from https://www.asuswrt-merlin.net/node/14
it seems that Merlin's GPL being used is 386_50757, which is a bit older than the stock 386_51665. In fact it is older than the last 2 stock ASUS versions.
Listing them in GPL version order with the largest version first, we get something like:

ASUS 3.0.0.4.386.51665 - 2023/05/11
ASUS 3.0.0.4.386.51255 - 2023/03/02
Merlin 386.11 (386.50757) - 2023/05/14
ASUS 3.0.0.4.386.49703 - 2022/07/20

So the last 2 ASUS versions (top 2 in the list) seem to be newer than the GPL used in Merlin's 386.11. And if I list the fixes in them, it's actually quite extensive:

Version 3.0.0.4.386.51665 - 2023/05/11
------------------------------------------
Bug fixes and functionality modifications:
-Resolved the issue with login and password changes.
-Fixed the issue where Traffic Analyzer sometimes couldn't record data.

Security updates:
-Enabled and supported ECDSA certificates for Let's Encrypt.
-Enhanced protection for credentials.
-Enhanced protection for OTA firmware updates.
-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.
-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.
-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.
-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.
-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.
-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.
-Fixed the vulnerability in the logmessage function CVE-2023-35086/ CVE-2023-35087.

Version 3.0.0.4.386.51255 - 2023/03/02
------------------------------------------
1. Fixed HTTP response splitting vulnerability.
2. Fixed Samba related vulerabilities.
3. Fixed cfg server security issues.
4. Fixed Open redirect vulnerability.
5. Fixed token authentication security issues.
6. Fixed security issues on the status page.
7. Fixed XSS vulnerability.
8. Fixed CVE-2022-26376
9. Fixed CVE-2018-1160
10. Fixed IPv6-related bugs.
11. Added a new login URL http://www.asusrouter.com to fixed the login issues.
12. Optimize the AiMesh web interface
13. Fixed network map UI bugs
14. Fixed bugs related to Wi-Fi calling.
15. Supported web history record exported.
16. Fixed IPSec VPN server compatibility with Windows 10 VPN client.
17. Improved AiMesh connection stability.
18. Fixed IPTV issues.
19. Fixed CVE-2022-35401 authentication bypass vulnerability.
20. Fixed CVE-2022-38105 information disclosure vulnerability in CM process.
21. Fixed CVE-2022-38393 DoS vulnerability in cfg_server.

So my question would be: how many of these are included in Asuswrt-Merlin? If not all of them, then how can we find out which ones are missing and if so, how big of a security issue is it?
Sorry if this has been asked before, but I really can't find a clear answer to this on the forum, so I'm very much still wondering whether all security vulnerabilities have been fixed/handled by Merlin in 386.11.

If the vulnerabilities listed above haven't been taken care of by Merlin, I would really like to know what is the hold up in releasing a newer 386.12 that would be based on the latest GPL from ASUS, after 386_51665 from 2023/05/11. A more recent GPL must have been made available I suppose by ASUS, almost 3 months have passed since then...

PS: Please don't tell me to purchase another/newer router. The AC68U still fits my needs hardware-wise, so I'm only interested in discussing the firmware that is or should be running on it from a security point of view. Thanks!
 
Last edited:
I would really like to know what is the hold up in releasing a newer 386.12 that would be based on the latest GPL
1) ~20 separate models, two separate code branches, and only one single developer doing it out of his spare time beside his fulltime day job
2) Updated GPLs for 386 were only received two weeks ago, but that single developer is already too busy working on the 388 models.
 
RMerlin gave a short and concise answer, and it made me curious on RMerlin's general behind the scene's workflow. How releases are balanced and prioritized between models. So I just searched for "merlin workflow".
Posts are older but do give at least a rough general idea, about development in more detail.

Sharing 2 posts for any other curious minds.
 
it seems that Merlin's GPL being used is 386_50757, which is a bit older than the stock 386_51665

So my question would be: how many of these are included in Asuswrt-Merlin? If not all of them, then how can we find out which ones are missing and if so, how big of a security issue is it?
Sorry if this has been asked before, but I really can't find a clear answer to this on the forum, so I'm very much still wondering whether all security vulnerabilities have been fixed/handled by Merlin in 386.11.

I could be mistaken but I thought despite using an older GPL Merlin would backport the newer security fixes to the current Asus-Merlin firmware release.
 
I could be mistaken but I thought despite using an older GPL Merlin would backport the newer security fixes to the current Asus-Merlin firmware release.
I don't have access to Asus's development code or internal git repo. All I get are 1GB-1.5GB GPL archives they provide to me, and there is typically a ~3 months gap between these due to the amount of work involved on their end in preparing all of them. I can't backport patches that I don't have. Plus, patches are often part of closed source components, which means it's impossible for me to backport anything.

RMerlin gave a short and concise answer
That's because this has been discussed ad nauseum on these forums in the past.
 
386.12 alpha is out, I really appreciate the quick release, @RMerlin !
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top