Security bug : Administration reachable over WAN

[Zuultroet]

Hi everybody, and thanks for all the good work done here !

I came upon a strange issue on my Asus RT-AC66U running Merlin's 3.0.0.4.374.39 in router mode :

- when the router's firewall is disabled, the administration page is available from the WAN on port 80
- with the firewall enabled, when OpenVPN Server 1 (the only one I checked) is enabled, the administration page is available from the WAN on port 80

In both case, "Administration from WAN" in administration -> system was disabled (the port was 8080 anyway). The behavior was the same after a NVRAM clear (WPS+on).

Did do something horribly wrong, or is there some bug lurking in there ?

 

[RMerlin]

Hi everybody, and thanks for all the good work done here !

I came upon a strange issue on my Asus RT-AC66U running Merlin's 3.0.0.4.374.39 in router mode :

- when the router's firewall is disabled, the administration page is available from the WAN on port 80
- with the firewall enabled, when OpenVPN Server 1 (the only one I checked) is enabled, the administration page is available from the WAN on port 80

In both case, "Administration from WAN" in administration -> system was disabled (the port was 8080 anyway). The behavior was the same after a NVRAM clear (WPS+on).

Did do something horribly wrong, or is there some bug lurking in there ?

How are you testing WAN access to your router? Port 80 should definitely not be accessible from WAN when the Firewall is enabled.

Try rebooting your router just in case your firewall didn't get properly configured after you re-enabled it.

 

[Zuultroet]

Wow, that was a quick answer !

I rebooted several times, and even reflashed 3.0.0.4.374_4561 to check : the behavior is the same with the original Asus firmware...

My Asus RT-AC66U is currently in router mode behind my ISP's router/modem while I configure it, its WAN being 192.168.0.x, and LAN side being in the 192.168.1.x. I scan it from a PC connected to the ISP router, so definitely on the WAN side of the Asus.

Can anyone confirm this ?

 

[L&LD]

192.168.0.x is not a WAN address.

 

[Zuultroet]

192.168.0.x is not a WAN address.

The point is, it is the WAN side of the Asus, and port 80 is visible from there. The actual IP is of little matter.

I use the Asus behind my ISP's router/modem while I'm configuring/learning it; After I thoroughly tested it, I'll switch it and let it handle the routing... but not quite yet

 

[r00t4rd3d]

See what this says:

https://www.grc.com/shieldsup


Try to connect to it from a mobile device with your providers data connection, no wifi.

 

[L&LD]

The point is, it is the WAN side of the Asus, and port 80 is visible from there. The actual IP is of little matter.

I use the Asus behind my ISP's router/modem while I'm configuring/learning it; After I thoroughly tested it, I'll switch it and let it handle the routing... but not quite yet

You're testing it wrong. The point is that a private address doesn't become public just because we'd like it to.

 

[Ford Prefect]

Wow, that was a quick answer !

I rebooted several times, and even reflashed 3.0.0.4.374_4561 to check : the behavior is the same with the original Asus firmware...

My Asus RT-AC66U is currently in router mode behind my ISP's router/modem while I configure it, its WAN being 192.168.0.x, and LAN side being in the 192.168.1.x. I scan it from a PC connected to the ISP router, so definitely on the WAN side of the Asus.

Can anyone confirm this ?

I have the same kind of setup.
My ASUS is definitely *not* accessible from its WAN side with firewall enabled or openVPN Server-1 enabled.

 

[Zuultroet]

See what this says:

https://www.grc.com/shieldsup

I temporarily switched the Asus as router, to perform the quoted test : I disabled the router's firewall, and scanned. result :

"80
HTTP
OPEN! The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away."

when re-enabling the firewall, I get :

"80
HTTP
Closed Your computer has responded that this port exists but is currently closed to connections."


Edit : Just to clarify, I switched my ISP's router/modem as simple modem, the Asus's IP on the WAN side being now my external IP adress, 78.217.xx.xx

 

[Zuultroet]

Update : with the firewall re-enabled and openVPN server 1 enabled, grc.com says :


"80
HTTP
OPEN! The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away."

 

[Zuultroet]

Could anybody else perform the test ? It's simple and quick

 

[L&LD]

Which test?

 

[Ford Prefect]

Edit : Just to clarify, I switched my ISP's router/modem as simple modem, the Asus's IP on the WAN side being now my external IP adress, 78.217.xx.xx

...if you do so, the ISP modem/router is not running a Firewall and your ASUS is fully
exposed to the internet.
If - in such a case - you disable the Firewall on the ASUS too, the security issue is IMHO clearly in front of your keyboard.

This is not a bug of the ASUS Firmware, it is a mis-configuration manually introduced by you, the Administrator.
It may proof though, that there are some individuals that are fearless and may do so, even if not on purpose but by absence of better knowledge.

 

[Zuultroet]

The one r00t4rd3d suggested, either disabling the firewall, or enabling OpenVPN server 1, and getting a scan from https://www.grc.com/ ... which I did as asked, and whose worrying results I posted just 3 messages above

 

[Zuultroet]

...if you do so, the ISP modem/router is not running a Firewall and your ASUS is fully
exposed to the internet.
If - in such a case - you disable the Firewall on the ASUS too, the security issue is IMHO clearly in front of your keyboard.

This is not a bug of the ASUS Firmware, it is a mis-configuration manually introduced by you, the Administrator.
It may proof though, that there are some individuals that are fearless and may do so, even if not on purpose but by absence of better knowledge.

- Firstly, I did this for the purpose of this test.
- Secondly, the said port 80 gives access to the administration page from the WAN, which was supposedly disabled, and whose port was 8080 anyway.
- Thirdly, Even with the firewall enabled, starting the OpenVPN server opens port 80 and the admin page to the world, again.

All this was already written in my previous posts.

 

[Zuultroet]

If - in such a case - you disable the Firewall on the ASUS too, the security issue is IMHO clearly in front of your keyboard.

On another consideration, firewall or no firewall, finding a port 80 open to the world on my router IS a serious security concern. Masking it with a firewall does not satisfy me. All the more so as it leads to the router's admin page.

Please consider the problem a bit more carefully before treating it lightly.

 

[L&LD]

The one r00t4rd3d suggested, either disabling the firewall, or enabling OpenVPN server 1, and getting a scan from https://www.grc.com/ ... which I did as asked, and whose worrying results I posted just 3 messages above

I can't do that test: even if I could; no point to (for me).

I don't see how misconfiguring your router is testing anything useful?

 

[Ford Prefect]

- Firstly, I did this for the purpose of this test.
- Secondly, the said port 80 gives access to the administration page from the WAN, which was supposedly disabled, and whose port was 8080 anyway.
- Thirdly, Even with the firewall enabled, starting the OpenVPN server opens port 80 and the admin page to the world, again.

All this was already written in my previous posts.

Yes, I understood, that you did this on purpose, but then, you cannot call it a bug.
IMHO what you observe is only to be expected, when doing that kind of config in your test.

Again, with firewall enabled and/or openVPN-Server-1 up (enabled TLS auth-mode, BTW) I do *not* see this behaviour..my WAN side is completely dark with my ASUS running in router-mode behind my ISP's modem/router-bridge.

 

[speedingcheetah]

WAN is outside your network....from your modem to your isp...not modem to router.

are you saying you can access the routers admin page by going to (wan IP Address:80) from a outside (different) network?

U should only be able to remotely access(WAN access) the admin page via what port u set in admin page( i use port 9999).

 

[Zuultroet]

I can't do that test: even if I could; no point to (for me).

I don't see how misconfiguring your router is testing anything useful?

This is NOT misconfiguration : PORT 80 IS OPEN ON THE WAN SIDE, AND GIVES ACCESS TO ADMINISTRATION.
whether you mask it or not with the firewall does not change the problem.

Also, enabling OpenVPN server 1 does not appear to me to be misconfiguration, and, even with the firewall enabled, ENABLES ACCESS TO ADMIN PAGE FROM WAN.

Sometimes I've got a distinct feeling that my posts are either not read, or not understood... Am I doing it wrong ?