Recent Security Patches — Still Missing

[fruitcornbread]

I have XD6 units and there is an ASUS update for that. Not sure about the others though.

I'm not sure if that XD6 firmware update addresses AiCloud issue though. The following routers also have the same release notes in the September / October firmware update: RT-AX82, ZenWiFi XD4S / XD4 Plus, XC5, & ET9.

Majority of the other routers that received firmware update in November have this kind of wording on the release notes:

1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security.

The same routers also received the previous firmware in Sept / Oct which had this wording as well in the release notes:

1. Optimized memory management mechanisms, improving system efficiency and stability.
2. Strengthened input validation and data processing workflows, further protecting your information security.
3. Improved web rendering engine, enhancing browsing experience and security.
4. Enhanced security of system command processing to guard against potential malicious operations.
5. Perfected JavaScript-related security mechanisms, offering a more secure web interaction environment.

 

[visortgw]

I'm not sure if that XD6 firmware update addresses AiCloud issue though. The following routers also have the same release notes in the September / October firmware update: RT-AX82, ZenWiFi XD4S / XD4 Plus, XC5, & ET9.

Majority of the other routers that received firmware update in November have this kind of wording on the release notes:

The same routers also received the previous firmware in Sept / Oct which had this wording as well in the release notes:

Correct, none of the October or earlier firmware releases contained the latest security vulnerability patches.

 

[jksmurf]

I'm not sure if that XD6 firmware update addresses AiCloud issue though.

Hmm I think you’re right. Fortunately I use them as Nodes only.

 

[iFrogMac]

Is the separate security updates toggle new to the 3.0.0.6 line of firmware? The RT-AX86U only had the one toggle for automatic firmware updates, while the new RT-BE92U has the original automatic firmware updates toggle, and a new automatic security updates toggle. I disabled the auto firmware updates but left security updates on toggle, so I can review the firmware changes before installing updates.

Seeing this gives me the impression that the newer router models that use the new line of firmware have the ability to have security patches applied independent of firmware updates.

 

[Squall Leonhart]

wouldn't surprise me if the absense of 88u and 86u wasn't because of a migration to 3.0.0.6

 

[visortgw]

wouldn't surprise me if the absense of 88u and 86u wasn't because of a migration to 3.0.0.6

Those two will never migrate to 3006 codebase.

 

[Squall Leonhart]

nonsense, theres no reason not to.

the pro models drivers are built from the same broadcom sdk.

 

[bitsbytes]

i have the aX86U and a AX58U as a node. the AX58U received a previous update that the AX86U never did that included the following

Optimized memory management mechanisms, improving system efficiency and stability.
2. Strengthened input validation and data processing workflows, further protecting your information security.
3. Improved web rendering engine, enhancing browsing experience and security.
4. Enhanced security of system command processing to guard against potential malicious operations.
5. Perfected JavaScript-related security mechanisms, offering a more secure web interaction environment.

this was two months ago and if i remember correctly many other routers received an update with similar patch notes.

what i think happened is ASUS was ready to release that patch, but was hit with this software breach so they are working on a new patch that includes the previous updates and the latest security updates in one firmware.

this to me seems like the only logical conclusion of why this update is taking a longer time to release compared to other models.

 

[visortgw]

nonsense, theres no reason not to.

the pro models drivers are built from the same broadcom sdk.

Even so, Asus will never update the older non-Pro models — the one exception being the the GT-AX6000, which is the ROG equivalent of the RT-AX88U Pro. It is a marketing ploy.

 

[bennor]

Just an FYI for Asus-Merlin users or those who are waiting for the stock Asus router firmware to be updated. RMerlin has released 386.14_2, 3004.388.8_4 and 3006.102.2_2 firmware. All three contain: FIXED: Security issues in AiCloud (backports from Asus).
https://www.snbforums.com/threads/a...now-available-for-ac-models.91060/post-934246

Release - Asuswrt-Merlin 3004.388.8_4 is now available

Asuswrt-Merlin 3004.388.8_4 is now available for all Wifi 6 models. 3004.388.8_4 (17-Nov-2024) - CHANGED: VPN killswitch will now only be active if the VPN client itself is enabled. If you stop/start the client yourself over SSH, you need to also...

www.snbforums.com

https://www.snbforums.com/threads/a...e-for-wifi-7-devices.92745/page-3#post-934245

 

[RMerlin]

nonsense, theres no reason not to.

the pro models drivers are built from the same broadcom sdk.

They're not. PRO models have a different CPU, and are built from HND5.04ax versus HND5.02ax/HND5.02ax_675x for the non-PRO models.

It's not just a straight recompile, they also have different switches that may require extra work to support the VLAN feature from 3006.

 

[Squall Leonhart]

They're not. PRO models have a different CPU, and are built from HND5.04ax versus HND5.02ax/HND5.02ax_675x for the non-PRO models.

They are on the same sdk, all that differs is the build target. HWND is an artificial construct. There is no change to the arm architectures on CPU's between 5.02 and 5.04 with the base and pro models being on Coretex B53, there is no deviance in instruction capability and the chip can be transplanted physically, BC4912 is just a juiced up 4908.

 

[RMerlin]

They are on the same sdk, all that differs is the build target. HWND is an artificial construct. There is no change to the arm architectures on CPU's between 5.02 and 5.04 with the base and pro models being on Coretex B53, there is no deviance in instruction capability and the chip can be transplanted physically, BC4912 is just a juiced up 4908.

It IS a different SDK. Even the kernel is different (4.1 vs 4.19). Just because the two CPUs share the same instruction set does not mean that everything else is the same within the SDK, or at the hardware level.

 

[jksmurf]

I'm not sure if that XD6 firmware update addresses AiCloud issue though. The following routers also have the same release notes in the September / October firmware update: RT-AX82, ZenWiFi XD4S / XD4 Plus, XC5, & ET9.

Majority of the other routers that received firmware update in November have this kind of wording on the release notes:

The same routers also received the previous firmware in Sept / Oct which had this wording as well in the release notes:

I'm a bit miffed the XD4 now has a patch but the XD6 does not... . But the RT-AX86U (ASUS) FW not being updated yet is the biggest mystery.
Yep, I have the Asus Merlin patch, so not too fussed.

 

[Jeje2]

Still no update for RT-AX86U?

And it ain't on the EOL list either....