Menu
What's new
By:
Filters Better Search

Vulnerabilities & updates

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

V

Valyno

Occasional Visitor
Hello Guys,

Probably a stupid question but this topic has been nagging at me for a while.
Last year, a security study on consumer routers demonstrated that the firmwares of 127 machines were based on old versions of Linux, mainly unpatched.
www.ctrl.blog

Network routers are just computers

Network routers are neither appliances nor magic; they’re computers and computers require ongoing maintenance and security patching. But whose job is that?
www.ctrl.blog www.ctrl.blog
What about Asus-Merlin?
Is it patched or are we at risk like the regular firmwares as described in the study?
Here, it is a vulnerability in Asus AX86U firmware. No mention by Asus of any patch. What about Asus-Merlin?

Thks!
Valyno
 
You make me feel safe @L&LD, you're like a wise old grandma in a beige cardigan.
 
Valyno said:
Here, it is a vulnerability in Asus AX86U firmware. No mention by Asus of any patch. What about Asus-Merlin?
Click to expand...

That site makes a lot of assumptions based on no factual data or actual testing of their own. For instance, what is the CVE that refers to that particular security issue? If there was no CVE assigned to it, then that often means that you cannot assume that the issue still exists just because it wasn't specified in the changelog. Asus tends to only document actual CVEs.

I've seen sites complaining about security issues that Asus had actually gone and fixed over a YEAR ago...

"Is it patched?" is a very broad question. You have to be more specific as to which specific security issues you are referring. Asus regularly patches security issues as they are found, same for me.
 
RMerlin said:
That site makes a lot of assumptions based on no factual data or actual testing of their own. For instance, what is the CVE that refers to that particular security issue? If there was no CVE assigned to it, then that often means that you cannot assume that the issue still exists just because it wasn't specified in the changelog. Asus tends to only document actual CVEs.

I've seen sites complaining about security issues that Asus had actually gone and fixed over a YEAR ago...

"Is it patched?" is a very broad question. You have to be more specific as to which specific security issues you are referring. Asus regularly patches security issues as they are found, same for me.
Click to expand...

I was looking at the page provided by op and there was no info about vulnerabilities but i googled a bit about this contest and i found some info.
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.
"January 2, 2021: Still nothing on the Asus Security Advisory page. But, there is new firmware, version 3.0.0.4.386.41535 dated Dec. 30, 2020. There were many changes in the firmware, but there is no mention of a bug fix. The bug seems to have fallen off the end of the earth. Such are consumer routers."

Whats interesting that "hacking contest" was discussed here on SNB

Asus, Netgear, and TP-LINK routers cracked at China's Tianfu world competition | SmallNetBuilder Forums (snbforums.com)

Here is twitter and the router was compromised with SQLi attack ( whatever that is)

TianfuCup (@TianfuCup) / Twitter
 
Last edited by a moderator:
podkaracz said:
I was looking at the page provided by op and there was no info about vulnerabilities but i googled a bit about this contest and i found some info.
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.
"January 2, 2021: Still nothing on the Asus Security Advisory page. But, there is new firmware, version 3.0.0.4.386.41535 dated Dec. 30, 2020. There were many changes in the firmware, but there is no mention of a bug fix. The bug seems to have fallen off the end of the earth. Such are consumer routers."

Whats interesting that "hacking contest" was discussed here on SNB

Asus, Netgear, and TP-LINK routers cracked at China's Tianfu world competition | SmallNetBuilder Forums (snbforums.com)

Here is twitter and the router was compromised with SQLi attack ( whatever that is)

TianfuCup (@TianfuCup) / Twitter
Click to expand...
In my area work, we are aware that manufacturers and governments are not keen at admitting or stamping out security vulnerabilities. They oft work hand in hand to make use of these breaches, some accidental, many deliberately introduced. And they have armies of trolls ready to deploy to downplay, pooh-pooh and bury news of discovered compromises.
 
mromero said:
In my area work, we are aware that manufacturers and governments are not keen at admitting or stamping out security vulnerabilities. They oft work hand in hand to make use of these breaches, some accidental, many deliberately introduced. And they have armies of trolls ready to deploy to downplay, pooh-pooh and bury news of discovered compromises.
Click to expand...

This sounds like conspiracy theory. It was confirmed many times that vendors leave backdoors for goverment to compromise the router but i doubt people here will discredit any1 for exposing it. If you want to be 100% sure no1 is messing with ur router build it from scratch yourself. Good luck with technical knowdlege and money needed to do this :D Not only hardware but also firmware its a hard task.
 
podkaracz said:
Accoring to routersecurity.org there were no fixes issued even in latest official firmware.
Click to expand...

What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.
 
RMerlin said:
What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.
Click to expand...

I dont know how reliable this source is (routersecurity.org). Either Asus patched it without informing or they are hiding it. Sadly there is no1 to test this vulnerability to confirm whos right here. Also i tried to look for more info about this vulnerability but there is noone. If i understand correctly SQLi attack is a type of attack/attack vector and not actual name of vulnerability so there is no precise cve to watch for.

Im not 100% sure if its this but i found this on grc.com where they discussed this tianfu event as well as many other things:

"NAT Slipstreaming exploits the user's browsers, in conjunction with the Application Level Gateway connection tracking mechanism built into NATs, routers, and firewalls, by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions."

source: Security Now! Transcript of Episode #792 (grc.com)
 
Last edited by a moderator:
RMerlin said:
What they said is that Asus hasn't ANNOUNCED a security fix. That doesn't mean they haven't implemented any. So here they are making assumptions.
Click to expand...

So i found out to prevent this SQLi attack we should turn off ALG on our router what do you think about that? What things in that tab where ALG is should i disable if not in use for security purposes? Also all that stuff SIP and others should be turned off for security purposes i suppose.

How to disable ALG because i see only port is visible and some other settings that i already turned off. So where is the ALG switch?
 
Last edited by a moderator:
The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.
 
RMerlin said:
The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.
Click to expand...
settings.png

Wyłącz means disabled. So is this enough or i should disable something more because i cant find ALG toggle just this. From what ive read thus far those settings are in fact "ALG" and there is no separate "ALG" toggle. Am i right?

This podcast that i linked above has a lot info about this vulnerability. It was used to compromise ax86u and in response to this web browsers are beeing patched to block some ports from what i can read. Also he states that its better to disable because who knows what can happen in the future and its possible attack vector.
really good read
 
Last edited by a moderator:
podkaracz said:
Wyłącz means disabled. So is this enough or i should disable something more because i cant find ALG toggle just this.
Click to expand...

"NAT Helper" = ALG. So if it's not showing "NAT Helper" then it means the ALG aren't used.
 
Based on this discussion, I looked at my NAT->Nat Passthrough tab, and found that the 3 options that had NAT Helper as options were enabled. So I changed all 3 to only Enable because I do not know what they affect. I too have an ATA in my network, so I'm guessing at least the SIP Passthrough needs to be Enabled, but do not know about any of the options. After making those changes, do I need to reboot the router or are the settings dynamic? Also if this is such a security concern, why aren't the NAT Helper options disabled by default?
 
TonyK132 said:
Based on this discussion, I looked at my NAT->Nat Passthrough tab, and found that the 3 options that had NAT Helper as options were enabled. So I changed all 3 to only Enable because I do not know what they affect. I too have an ATA in my network, so I'm guessing at least the SIP Passthrough needs to be Enabled, but do not know about any of the options. After making those changes, do I need to reboot the router or are the settings dynamic? Also if this is such a security concern, why aren't the NAT Helper options disabled by default?
Click to expand...

I tested it on asus rtac86u and i did not have option to select "nat helper" only disable or enable maybe it was patched what firmware are you on? Im currently on latest beta with dnsmasq fixes.
 
384.19_0. But I've had many previous Merlin versions since I got the AC86U a few years ago. I do not recall ever going to that tab, and if I did, then it was a "Whoa, I have no idea what any of this is, so I will leave the defaults alone".
 
TonyK132 said:
384.19_0. But I've had many previous Merlin versions since I got the AC86U a few years ago. I do not recall ever going to that tab, and if I did, then it was a "Whoa, I have no idea what any of this is, so I will leave the defaults alone".
Click to expand...

Update to latest firmware (released today by Merlin) with security fixes and format i use wps reset cuz it seems the most stable. Then check again if you are able to pick +nat helper because im using latest asus beta and there is no option for this only enable/disable. Its good to check aiprotection tab and make sure to have all things checked there (potential attack vectors).
 
Last edited by a moderator:
Asus does not offer the option to just disable NAT helper. I don't know if they have fixed it, but last time I checked a few years ago, setting this to Disable had the unfortunate side-effect of also actively blocking that port, preventing for instance SIP from working.
 
RMerlin said:
Asus does not offer the option to just disable NAT helper. I don't know if they have fixed it, but last time I checked a few years ago, setting this to Disable had the unfortunate side-effect of also actively blocking that port, preventing for instance SIP from working.
Click to expand...

Something changed in latest firmware then because i cant seem to pick nat helper from list (not sure how it looks on previous firmware) but on latest beta i can pick either disable or enable and there is no +nat helper option. Do you recommend enabling anything there or its better to leave it all off?
 
You must log in or register to reply here.

Similar threads

torstein
Avoid Consumer Routers
2
Replies
39
Views
7K
netware5
netware5
Similar threads
Thread starter Title Forum Replies Date
D Solved Windows 11 updates won't download attempted disabling router settings. Asuswrt-Merlin 18
grizfan Best practices for firmware updates? Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 699 (members: 30, guests: 669)
Top