Merlin 386.7_2 CVE Fixes

[jplw]

Does the Merlin 386.7_2 firmware for the RT-AC68U contain all of the CVE and other security fixes in Version 3.0.0.4.386.49703 of the stock firmware?

 

[L&LD]

You would need to study the changelog to determine that.

 

[jplw]

You would need to study the changelog to determine that.

I did, but was not sure how to interpret "Merged with 386_48966 GPL for all other models." Does that mean that, since 48966 is less than 49703, that Merlin is behind on security patches, or are those numbers not comparable?

 

[cc666]

Does the Merlin 386.7_2 firmware for the RT-AC68U contain all of the CVE and other security fixes in Version 3.0.0.4.386.49703 of the stock firmware?

From the changelog file:

- UPDATED: Merged with 386_49335 GPL for the RT-AC5300.
- UPDATED: Merged with 386_48966 GPL for all other models.
It is behind.

CC

 

[RMerlin]

I did, but was not sure how to interpret "Merged with 386_48966 GPL for all other models." Does that mean that, since 48966 is less than 49703, that Merlin is behind on security patches, or are those numbers not comparable?

You will have to determine what changes happened between 48966 and 49703. A lot of the fixes you mention were probably already fixed either in 48966 or by myself. My OpenSSL build for instance is almost always more up-to-date than Asus.

 

[Deleted member 22229]

Here is 49674 that is newer then Merlin 48966 and there are many security fixes here. So i would say no Merlins 386.7.2 does not contain these fixes.


1.Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-26376,CVE-2021-34174,CVE-2018-1160, CVE-2022-26376,CVE-2022-0778
2.Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.
3.Fixed anomalous 802.11 frame issues.

 

[ColinTaylor]

Here is 49674 that is newer then Merlin 48966 and there are many security fixes here. So i would say no Merlins 386.7.2 does not contain these fixes.


1.Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-26376,CVE-2021-34174,CVE-2018-1160, CVE-2022-26376,CVE-2022-0778
2.Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.
3.Fixed anomalous 802.11 frame issues.

That's not the list for the OP's RT-AC68U. You need to compare the correct router model. Most of those CVE's were fixed in 3.0.0.4.386.48262 (March 2022) for the RT-AC68U.

 

[Deleted member 22229]

That's not the list for the OP's RT-AC68U. You need to compare the correct router model. Most of those CVE's were fixed in 3.0.0.4.386.48262 (March 2022) for the RT-AC68U.

Fair enough. But honestly with all these different versions and release dates being different it's hard to be certain. And it would be nice to know in the changelog. There are so many cyber threats around these days people are just trying to play it safe.

 

[RMerlin]

Here is 49674 that is newer then Merlin 48966 and there are many security fixes here. So i would say no Merlins 386.7.2 does not contain these fixes.

Once again, that does not tell you anything about which fixes were already present in 48966. You need to find a changelog for the same or a previous version.

There are so many cyber threats around these days people are just trying to play it safe.

Just because there is a CVE for something does not mean that you are vulnerable, or that this issue can even be actually be exploited. At least one OpenSSL CVE for instance is for an issue that ONLY affects x86 CPUs, not ARM routers. Another recent OpenSSL CVE only affects a shell script which isn't even part of the router firmware. So stop worrying, the sky isn't falling.

 

[L&LD]

Over 9 years ago, I switched to Asus routers and almost exclusively RMerlin firmware (except for testing RMerlin vs. Stock back in those early days).

Prior to that, yes, I had a handful of security issues that compromised my devices to varying degrees. To the point where I thought I needed third-party malware software installed on everything.

Since then, no issues at all. And that includes not using any AV except for MS' built-in during all that time.

As RMerlin hints; use an updated as possible RMerlin-powered router and stop worrying.

If you don't click every link thrown at your screen, or troll through the dark web, the sky isn't falling.

The safest I feel is when I'm on my own network. The least safe? When in a gov't building or at Starbucks (gross!). I feel safer by using OpenVPN back to my router, of course, but not as safe as when not at those sketchy locations.