Security Concern for our routers or nah?

[Todd Snigg]

So Google has been blasting my Pixel phone's news feed with articles about a set of new vulnerabilities for the RT-AC1900p, which I own, running Merlin's build.

Examples: 1st Article 2nd Article

They reference CVE-2020-15498 and CVE-2020-15499 which appear to be a MTM and XSS type of issue.

Is this something I need to be concerned about if I'm running Merlin's build 384.17? Seems like maybe it's not an issue since I don't have my router set to auto-update firmware. But I was just curious. I didn't see much other discussion on this site and searched for those CVE #s to no avail.

Thanks,

Todd

 

[dave14305]

The only place I see the "no-check-certificate" is in the Trend Micro signature update scripts.

 

[Dabombber]

Asuswrt-Merlin only checks for updates, it doesn't try to download them.

New firmware availability check will remain automatic, and firmware upload will remain manual. I don't support automatic "live updates". Just like it has always been with Asuswrt-Merlin. Only nodes running the stock Asus firmware will be able to perform live updates.

I'd be more concerned about custom scripts running on the router, lots of people seem to use wget --no-check-certificate without understanding what it does.

 

[RMerlin]

Aside from the fact that my firmware doesn't have live update capabilities, I have been enforcing certificate checks for many years now.

 

[Todd Snigg]

Aside from the fact that my firmware doesn't have live update capabilities, I have been enforcing certificate checks for many years now.

Thanks Merlin for the peace of mind. We all really appreciate your work.