Vulnerable outdated jQuery used in 386.7_2 (current latest version)

[Hardenizer]

The jquery version used in asus merlin is 1.10.2 while the latest jquery available is 3.6.1 which has many security fixes e.g:

1. https://github.com/jquery/jquery/issues/2432
2. http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
3. https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
4. https://nvd.nist.gov/vuln/detail/CVE-2019-11358
5. https://nvd.nist.gov/vuln/detail/CVE-2015-9251
6. https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
7. https://bugs.jquery.com/ticket/11974
8. https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

 

[RMerlin]

Do you have any POC that can exploit any of these while not logged into the router?

Keep in mind that most issues are really for public-facing websites. All the jquery-based pages in the firmware are not accessible unless you are already logged in, at which point you already have full access to the router.

 

[Hardenizer]

Do you have any POC that can exploit any of these while not logged into the router?

Not really, i just found this firmware (asus merlin) before couple of days ago.

Keep in mind that most issues are really for public-facing websites.

Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.

 

[RMerlin]

Not really, i just found this firmware (asus merlin) before couple of days ago.


Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.

I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.

 

[domic]

I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.

No code is bulletproof, and in an ideal world we'd pentest everything and patch it, but I believe your approach is the best one keep keep a healthy long-term open relationship with Asus. Keeping things casual and professional.

I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).

 

[RMerlin]

I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).

Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...

 

[domic]

Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...

Jeez, that's pretty extreme.
Of course, I understand why they want to protect their work and intellectual property. (FOSS doesn't pay the bills etc), but yeah, pretty extreme.