SECURITY: LAN-side security hole - mitigation

[RMerlin]

I have updated to latest 49_5 and I can se traffic on port 9999, my INPUT drop rule take care of it.

Port 9999 isn't completed disabled by the security fix, I merely disabled the specific function in infosvr that allows executing any arbitrary command over port 9999. That port is still used by infosvr for other things. I suspect it might be used by Asus's printer sharing utility for instance.

 

[RMerlin]

For those using stock firmware: expect an update from Asus in a day or two for all affected products.

 

[AndreyPopov]

3.0.0.4.376.3754 for RT-N and RT-AC routers
3.0.0.4.378.3873 for RT-AC68 and 3.0.0.4.378.3885 RT-AC87

 

[mrherpo]

Question- Lets say you patched this 'too late' - Would doing a hard reset of the router by holding the reset button of the router actually remove any backdoors/exploits? Or is it the case if someone gets root that backdoor will be persistent forever and your only hope is to get a new router? My understanding is that the factory reset only resets the configuration options and does not physically reimage the OS.

Or does simply upgrading to the latest patch remove any backdoors?

 

[hggomes]

Are you serious?

 

[mrherpo]

Are you serious?

Thanks for the helpful reply- Im obviously a noob asking a question I dont know the answer to. Not sure that deserves a sarcastic response.

 

[Deleted member 22229]

Question- Lets say you patched this 'too late' - Would doing a hard reset of the router by holding the reset button of the router actually remove any backdoors/exploits? Or is it the case if someone gets root that backdoor will be persistent forever and your only hope is to get a new router? My understanding is that the factory reset only resets the configuration options and does not physically reimage the OS.

Or does simply upgrading to the latest patch remove any backdoors?

Yes once its patched the threat is over. If you change firmwares then the new firmware would also have to have the patch/fix.

 

[hggomes]

The intension was not be sarcastic but... you really think you would need to buy a new router?

Newer FWs will fix all security flaws on all routers, ASUS always does that after being reported and confirmed security issues on their equipments.

Cheers

 

[mrherpo]

I just didnt know if the 'firmware' upgrade only upgraded certain things or did a total rewrite of all data.

Obviously some data is left in tact though, otherwise you would have to reenter all your settings, which doesnt happen after a update.

Couldnt a attacker who had root leave legacy code running stored in one of the same spots?

 

[Deleted member 22229]

I just didnt know if the 'firmware' upgrade only upgraded certain things or did a total rewrite of all data.

Obviously some data is left in tact though, otherwise you would have to reenter all your settings, which doesnt happen after a update.

Couldnt a attacker who had root leave legacy code running stored in one of the same spots?

True but you seem to be talking about intentional firmware corruption where the builder wrights back doors with access in there codes. I suppose that will always be a risk not only with stock firmware but any firmware. And yes settings in most cases remain intact but its still always a good idea to clear nvram with a factory reset after a firmware upgrade.

 

[RMerlin]

Question- Lets say you patched this 'too late' - Would doing a hard reset of the router by holding the reset button of the router actually remove any backdoors/exploits? Or is it the case if someone gets root that backdoor will be persistent forever and your only hope is to get a new router? My understanding is that the factory reset only resets the configuration options and does not physically reimage the OS.

Or does simply upgrading to the latest patch remove any backdoors?

The only way to be 100% sure would be to reflash the bootloader, reflash the firmware, and do a factory default reset. Now, the likelihood of any exploit having overwritten the bootloader with exploit code is very, very unlikely. It would require advanced technical know-how, and require so much effort that someone might have done it if you were a bank and there were millions of dollars at stake. But for access to your personal stash of photos? I'd say just reflash the firmware, followed by a factory default reset if you don't feel safe, and reformat any plugged USB disk. After that, change any password that was stored in your router: PPPoE, DDNS, router access, etc...

 

[noric]

I've reported already that to ASUS networking support, lets wait for a fix, my fix by now is this:

killall -9 infosrv

Just to avoid stupid errors, what everybody needs to input is of course:

killall -9 infos[B]vr[/B]

Note the bold.

 

[AndreyPopov]

GPL 3.0.0.4.376.3754 for RT-N16 (RT-N53) out with fix from ASUS.

GPL 3.0.0.4.378.3873 for RT-AC68P out with fix from ASUS.

 

[RMerlin]

By now everyone should be aware of this, and the latest releases from both Asus and I address this issue, so I'll un-stick this topic.

 

[L&LD]

That doesn't mean you've been hacked.

Try rebooting the router first and waiting a few minutes before you try logging in again.

Also, make sure you've cleared your browser cache and possibly reboot the computer you're trying to connect from too.


But if you do have to start fresh, hold down the WPS button while booting up and that will reset the router to factory defaults. I don't see a need to put stock firmware on first, simply install the latest RMerlin firmware if needed and setup the router with a different login name and password than you had previously.

 

[JefferMC]

I believe that I have been hacked. There's really only one user using this router, and she reported to me yesterday that she was being asked by the ISP for a login. While the screen was a pretty nice forgery of the ISP's style, the ISP never asks for a login. I clicked on "forgot password" and the information was obviously a phishing expedition. Add to this that the URL wasn't SSL. Users not going through the ASUS RT-AC66W were not having any issues. I had her switch to an access point and the problem went away. The strange thing is that I'm running a much newer version of Rmerlin (378.54_2) than the one he says is fixed.

 

[L&LD]

I believe that I have been hacked. There's really only one user using this router, and she reported to me yesterday that she was being asked by the ISP for a login. While the screen was a pretty nice forgery of the ISP's style, the ISP never asks for a login. I clicked on "forgot password" and the information was obviously a phishing expedition. Add to this that the URL wasn't SSL. Users not going through the ASUS RT-AC66W were not having any issues. I had her switch to an access point and the problem went away. The strange thing is that I'm running a much newer version of Rmerlin (378.54_2) than the one he says is fixed.

You're replying to a thread that is a year old. And using firmware that is at least half a year old.

Why are you not running the latest (or at least a more current) firmware?

 

[JefferMC]

You're replying to a thread that is a year old. And using firmware that is at least half a year old.

Why are you not running the latest (or at least a more current) firmware?

Oops. Thanks. It didn't sink in that January 2015 wasn't this year (still living in the past, I guess). I'm running the firmware that was available when I set up the thing back in September. I will install the latest version as soon as I have the time. Until then, it's powered off.

 

[nmt1900]

Sorry to crash in on this hijacking, but now it seems that port 9999 has the real use purpose - if this port is blocked by firewall rule, real-time statistics (real-time traffic and system monitor) will not work in Asus router mobile app. I am not sure, if mobile app was even available, when this thread was started...

Just in case someone wanted to know...

 

[Cartel]

Any way to stop the router from spamming port 9999?
I've had it less than 6 hours and its already annoying me