Beta RT-AC68U 9.0.0.4.386.41994 Beta Version

[bbunge]

ASUS RT-AC68U Firmware version 9.0.0.4.386.41994 (Beta Version)
Security Fixed:
Fixed CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686

RT-AC68U｜WiFi Routers｜ASUS USA

ASUS has a range of wireless routers suitable for every purpose. Whether it's for your home, for business trips, or for any other need or environment, there's an ASUS router for you.

www.asus.com

 

[Objects in Space]

FYI: The MD5 hash code does not match what is shown on the website and the extracted firmware file.

https://www.snbforums.com/threads/a...imesh-2-0-continued.69274/page-14#post-658258

Also, I linked each of CVE Security Vulnerabilities so you can read their description.

https://www.snbforums.com/threads/a...imesh-2-0-continued.69274/page-13#post-658105

 

[podkaracz]

FYI: The MD5 hash code does not match what is shown on the website and the extracted firmware file.

https://www.snbforums.com/threads/a...imesh-2-0-continued.69274/page-14#post-658258

Also, I linked each of CVE Security Vulnerabilities so you can read their description.

https://www.snbforums.com/threads/a...imesh-2-0-continued.69274/page-13#post-658105

I wanted to test if those @ASUSWRT_2020 files were matching with file on asus download page even tho i dont have that router model and it did but the hash on asus web page is not matching. Weird stuff and should be fixed as its important to have those hases cleaned up...

 

[Objects in Space]

Regarding the hash code not matching is very concerning since this beta is to address security vulnerabilities.

Did ASUS upload the wrong file or the wrong hash code or both?

 

[podkaracz]

Regarding the hash code not matching is very concerning since this beta is to address security vulnerabilities.

Did ASUS upload the wrong file or the wrong hash code or both?

My bet goes on wrong hash code on website because the hash of google drive files is exact same as the ones that are uploaded on asus download website its just wrong description. But thats my speculation.

 

[bbunge]

MD5 now matches

 

[Objects in Space]

Does anyone know if the only changes to this beta are the emergency fixes for the DNSmasq security vulnerabilities?

 

[bbunge]

Just ran this beta over 386.41634 with no apparent ill effects. This was on a "test" router with a fresh clean install of 386.41634 and minimally configured.

As for other fixes we only know what Asus told us on their web site about the security fixes. I plan to run this beta on other remote routers tonight. I do not expect problems.

 

[Deleted member 22229]

Does anyone know if the only changes to this beta are the emergency fixes for the DNSmasq security vulnerabilities?

Not sure but there is a new set of icons for network map.

 

[ForkWNY]

Does anyone know if the only changes to this beta are the emergency fixes for the DNSmasq security vulnerabilities?

There are under-the-hood changes beyond just the DNSmasq security fixes. Some have reported better stability/performance, some have reported additional issues cropping up, not unusual for a beta.

For me personally, I've run into stability issues with the web UI on the GT-AC5300 as the main AP/router, w/AiMesh nodes (I use 68U's as mesh nodes). The AiMesh nodes seem to be the root of the issue...when they're gone (either removed or powered off), I don't have stability issues at all. I did a factory reset when I installed 386_41994, wiped/initialized all settings and logs, reconfigured from scratch. Definitely have noticed some stability problems and reported through the admin web feedback page to ASUS. Others haven't had any issues. It's a roll of the dice with a beta.

 

[Objects in Space]

Thanks for the replies. I am surprised that ASUS did not release a new production release to fix the DNSmasq security vulnerabilities based on the most recent AC68U 3.0.0.4.386.41634 release.

I understand adding the security fixes to the current betas which appear to have other code modifications for testing new enhancements.

However, since these DNSmasq security vulnerabilities are marked high per my research, then ASUS should proceed with a production release ASAP based off the 3.0.0.4.386.41634 code.

 

[ForkWNY]

Chances are they cranked out some newer builds before the DNSmasq security vulnerabilities got onto their radar, so they made other changes and then patched up DNSmasq. Just speculating but that's my best guess. I have some other systems that were patched for DNSmasq vulnerabilities via standard security fixes.

 

[L&LD]

@Objects in Space, they have for some models already. Keep looking for yours.

Beta - RT-AC66U B1 Firmware version 9.0.0.4.386.41994 (Beta Version) | SmallNetBuilder Forums (snbforums.com)

 

[Objects in Space]

@Objects in Space, they have for some models already. Keep looking for yours.

Beta - RT-AC66U B1 Firmware version 9.0.0.4.386.41994 (Beta Version) | SmallNetBuilder Forums (snbforums.com)

ASUS has released the AC68U Beta Version on their product support website for my model and the same beta firmware is used in the other thread for testing betas.

My point was I expected ASUS to release a production version to patch these high security vulnerabilities. Not release a public beta which includes other modifications that is still being tested to resolve the security fixes.

 

[L&LD]

I don't see how else they can, 1. protect their customers in a timely manner and 2. without fully testing a solution first, do otherwise.

 

[Objects in Space]

Chances are they cranked out some newer builds before the DNSmasq security vulnerabilities got onto their radar, so they made other changes and then patched up DNSmasq. Just speculating but that's my best guess. I have some other systems that were patched for DNSmasq vulnerabilities via standard security fixes.

Do you remember what model numbers received the production DNSmasq security fixes?

Does ASUS rollout the changes starting with top-of-line routers and work their way down or does it appear random what models will rollout next?

 

[Objects in Space]

I don't see how else they can, 1. protect their customers in a timely manner and 2. without fully testing a solution first, do otherwise.

I am accustom to high and critical patches are tested internally by a company and then production release as I have seen in Windows and Apple iOS without customer betas.

 

[L&LD]

You mean without more public-facing betas.

They're still done.

And Asus giving you the choice to possibly be more secure isn't a bad thing either.

 

[bluzfanmr1]

I am accustom to high and critical patches are tested internally by a company and then production release as I have seen in Windows and Apple iOS without customer betas.

iOS always does customer betas.

 

[simpleIT]

I installed the beta 9.0.0.4 on my rt-ac68u and I can not get the openVPN to connect to the android phone apps. openVPN was working perfectly with the prior FW. And yes I downloaded a new client.opvn config file with the included cert from the router to the cell phone app. I noticed that the Beta .opvn file has slightly different settings for...
"
# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo
"

where as the prior file had just ...
comp-lzo adaptive

So I changed the new file to use "adaptive" syntax and it still failed to connect.
I suspect something has changed with openVPN in this beta 9.0.0.4 rel and I can not figure out how to make it work.

Any suggestions?

UPDATE: I now have openVPN working in this beta rel. The problem was my doing. After updating I did a factory reset to ensure everything was fresh start. But I failed to get the DDNS->dns updater->dns host->client.ovpn file fully re-enabled and correlated. Hence the openVPN client was using the wrong IP address because the dns didn't resolve properly. I noticed the error in the log when openvpn attempted a connect. Sorry for the false alarm