[Release] Asuswrt-Merlin 384.13 is now available

[JarleH]

What UPnP exploit? I'm not aware of any known security issues with miniupnpd at the moment (and miniupnpd has a fairly good track record compared to other in-house solutions).

I was referring to him saying its the best to disable upnp, and that is due to upnp exploitable nature. There were 'fixes' some time back to change some of the weaknesses of upnp in routers as far as I can see from articles, but I may be wrong.

In short: why should I disable upnp if its not exploitable?
(referring to upnp in general)

 

[Martineau]

I was referring to him saying its the best to disable upnp, and that is due to upnp exploitable nature. There were 'fixes' some time back to change some of the weaknesses of upnp in routers as far as I can see from articles, but I may be wrong.

In short: why should I disable upnp if its not exploitable?
(referring to upnp in general)

There are many opinions/articles e.g. Is UPnP a Security Risk? and sadly it is up to everyone to decide if the 'convenience' is worth the risk.

Personally I always disable it, but what do I know?

Furthermore, given the adage "Only trivial code is bug-free", there will always be bugs Vulnerability Summary for the Week of November 4, 2019 but whether or not they apply to the router in the lastest current firmware vs. Beta:

384.14 (xx-xxx-xxxx)

 - UPDATED: miniupnpd 20190824

not sure.

 

[RMerlin]

In short: why should I disable upnp if its not exploitable?

It's a security risk because it allows any client connected to your LAN to forward a port. The risk is not as serious with Asuswrt-Merlin than with some other firmwares because by default, Asuswrt-Merlin runs in Secure mode, which means a LAN client is only allowed to forward a port to itself. So if for example a malware running on your desktop would try to open the router's webui through UPNP it would not be able to do so.

Also, Asuswrt-Merlin lets you chose which range of ports you want to allow. By default, privileged ports (ports 1 to 1023) are not allowed, so out of the box one would not be able to redirect, for instance, port 80 (web), or 139 (Windows File Sharing).

It boils down to deciding risk vs benefits, which depends on you. For reference, personally I keep UPNP enabled at home.

 

[RMerlin]

Furthermore, given the adage "Only trivial code is bug-free", there will always be bugs Vulnerability Summary for the Week of November 4, 2019 but whether or not they apply to the router in the lastest current firmware vs. Beta:

This CVE is from 2013, so pretty sure it's been fixed a long time ago.

EDIT: confirmed, was fixed back in 2013.

This issue was addressed on April 26, 2013 as noted in the changelog:
http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz

 

[Martineau]

This CVE is from 2013, so pretty sure it's been fixed a long time ago.

EDIT: confirmed, was fixed back in 2013.

Don't I look stupid quoting a November 2019 US 'Government-organisation-owned-published' document publicly available on the Internet?

However, their November 18, 2019 Vulnerability report does actually have a valid November 2019 reference:

miniupnp -- ngiflib

     MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
     Reported:2019-11-17          CVE-2019-19011

but again more than likely it probably doesn't affect routers.

 

[RMerlin]

but again more than likely it probably doesn't affect routers.

This is for ngiflib, which is unrelated to UPNP - it just happens to be from the same author (and that author's Github account is called miniupnp). None of that code exists in miniupnpd.

 

[Hawk]

Thanks! Since I am a gamer, turning off upnp may create some problems for me... Still many games that do not have dedicated servers, and use different types of player hosted matches/'servers'.

Edit:
And the upnp exploit cannot be fixed in firmware? No way to know if its a game/program making the request, or an exploit? Guess not...

I should have been more specific, I disable in mine setup.

 

[Olivier L]

Hello,
Since 2 days, I have a couple of "kernel: [tdts_shell_ioctl_stat:256] Recv ioctl req with op 2" populated my syslog per hours.
Do you know what does it mean ?
Thx

 

[RMerlin]

Hello,
Since 2 days, I have a couple of "kernel: [tdts_shell_ioctl_stat:256] Recv ioctl req with op 2" populated my syslog per hours.
Do you know what does it mean ?
Thx

Trend Micro debug messages, just ignore them.

 

[Olivier L]

thanks

 

[RMerlin]

I have uploaded new test builds for the RT-AC87U and RT-AC3200 to the https://www.asuswrt-merlin.net/test-builds/ folder, please give them a try. These contains a number of fixes that were ported from the 384.14 development (which won't be able to support either of these two models).

Changes since 384.13:

812044775b inadyn: re-disable cert validation for AsusDDNS - their server is once again using an expired certificate
36b1862505 openssl-1.1: update to 1.1.1d
ac1fe48247 openssl-1.0: update to 1.0.2t
ac4a2b6734 socat: that is one fat cat, put him on a diet by removing unused features
a866c4228e letsencrypt: backport new LE support from 384_81351
5bd5fda335 inadyn: switch Asus DDNS server to ns1.asuscomm.com since their server certificate is missing the nwsrv-ns1.asus.com SAN; re-enable certificate validation when updating an Asus DDNS account
8fd5278a8e rc: ipv6 ns drop checking wrong nvram for dualwan/multiiptv builds
a8d9102cad rc: inadyn: always force AsusDDNS updates on LE-enabled build
0a495f2d9d webui: allow empty local IP for IPv6 firewall rule
901f7e665e rc: firewall: better detection of EUI64 addresses; add missing support in Dual WAN LB / Multicast IPTV modes
6e84f38b51 webui: store OpenVPN Server custom clientlist info even if server is disabled
094fd0a625 busybox: enable split applet, for uniformity with HND platform
7fd70b6f21 ssl: update root certificates to October 9th 2019 version
9dc6f089a9 webui: fix dnsfilter table layout
370ae91b2b rc: wrong variable used to report bitsize of rejected OVPN server DH
de70dc1ae8 webui: ensure that YandexDNS is always disabled at the webui level (closes #347)
3f5692cfc2 httpd: add "TLS Web Server Authentication" to certificate's extended attributes
b77e5aa99d httpd: limit SSL certificate to 2 years if clock is accurate
f680eaadd6 webui: re-implement notification if free nvram < 3000 bytes

 

[AndreiV]

Thanks for your efforts with these 2 routers Eric, much appreciated.

 

[TonyK132]

Also using Wifi calling, iPhone X - AT&T Wireless, with 384.13 on an AX88U with no issues.

Wifi Calling on this build keeps failing. I am on Three network and have been using Wifi calling with no problem connecting through my RT-AC86U. Updated to firmware 384.13 and it keeps dropping calls after 3 seconds on both 2.4 and 5ghz bands. In the end I have gone back to 384.12 and its stable again.

So I presume there is a bug somewhere on 384.13, would it have anything to do with the AIMesh integration, I do not have this switched on.

Is this problem fixed in 384.14b2? Since recently updating to 384.13, I too am having drops on the 5G band.

 

[AndreiV]

Flashed test file to AC3200 without any problems, will soon know if anything goes crazy.

 

[Blacklistedcard]

Loaded 384.13_2-g9239ffaa0d onto my AC87u. Working just fine.

 

[melon]

RT-AC87U_384.13_2-g9239ffaa0d: So far so good~

 

[mister]

Each environment is unique, however with little information I have about your apartment.

I will recommend following in general

1. Use 20 Mhz on 2.4
2. Disable WPS
3. Turn off airtime fairness
4. Disable beamforing
5. Turn off upnp in wan section
6. Disable network share, if not using it.

Just a question :
Why do you recommend switching of Airtime Fairness and Beamforming ? I thought that these both technologies make the wifi connection more robust.
What are the advantages of disabling or in other words: How can I see, that turning off these both features has a positive effect ?

Thanks a lot.

 

[AndreiV]

Just a question :
Why do you recommend switching of Airtime Fairness and Beamforming ? I thought that these both technologies make the wifi connection more robust.
What are the advantages of disabling or in other words: How can I see, that turning off these both features has a positive effect ?

Thanks a lot.

Read the forums, there are hundreds of posts/threads on the subject.

Look at Merlin's recommendations .

The items in question are known to cause problems hence the suggestion to turn them off.

https://www.snbforums.com/threads/guide-troubleshooting-wifi-issues.12825/

https://www.snbforums.com/threads/guide-trhttpsoubleshooting-wifi-issues.12825/#post-375354

Quick addendum, as I lack the time to maintain the original post:

In newer routers, if you experience wireless stability issues then it's recommended that you disable the following options:

MU-MIMO (some hardware revisions have non-functional/unreliable implementations)

Airtime Fairness (causes connectivity issues for various devices, including wireless printers)

Universal Beamforming (non-standard, might cause compatibility issues with some clients)

 

[MDM]

RT-AC87U and 384.13_2-g9239ffaa0d, all OK.
Recreated Certificate (two years now), and it seams fine for now.

These contains a number of fixes that were ported from the 384.14 development (which won't be able to support either of these two models).

Just wondering, is this permanent, or just until the GPL-s are out..?

 

[RMerlin]

Just wondering, is this permanent, or just until the GPL-s are out..?

I don't know yet if it will be permanent or not. These two models are still on 382 code, and the GPL releases are too different from the 384 code to be compatible any longer, so it means each time I need to have Asus provide me with special binary blobs for these two models. I can no longer use the available GPL drops for these two models. Getting these binary blobs depends on the 384 code being compilable for these two models, as well as to the engineer building these to have the time to actually compile these components for me (which he currently doesn't).