
Multiple Vulnerabilities in ASUS Routers - nwcs
http://seclists.org/bugtraq/2017/May/24
======
iuguy
ASUS uses their own Linux distro called ASUSWRT, whenever I've looked at it
it's been, well ... _interesting_ from a security perspective, even compared
to other WRT OSes.

I did a ton of stuff on the AC series and some of their smaller hardware (like
the WL330-NUL which is an awesome little thing but riddled with bugs). The
bottom line is that if you have an ASUS, you should expect bugs.

If you're worried about being exploited via your router, making sure you use a
dedicated browser to configure a router and have no other web pages open at
the time will help against certain classes of bug, as will logging out
immediately after you've finished. Making sure that you know what's being
forwarded is also useful, as is turning off UPNP.

OpenWRT is a little bit better (but people tend not to update their routers)
but has it's flaws for various reasons (mostly in the web interface), as do
most of the WRTs. If you're really worried, Mikrotiks tend to be better, and
very little beats an OpenBSD firewall.

------
mszcz
This always boggles my mind. The hardware on those seems decent enough but the
software is almost universally utter dog shit. Why do these companies treat
the software (security as well as UX) side so poorly, considering that this is
what the enduser sees, is beyond me.

I bought one of those affected routers recently. Since the DD-WRT has slower
Wifi performance for that model I considered staying with the stock
firmware... for about 30 minutes. When configuring something device names I
think I used '-' in a name. The Web UI allowed it and saved it. On refresh the
JS was all broken because of that character. No device list for me. Flashed it
with DD-WRT, never looked back.

~~~
bsamuels
usually the firmware for these devices was written up to 10 years ago, when
the threat landscape was very different from what it is today.

you'll notice that newer devices on fresh codebases (ie: mesh routers) are
much more up to par security-wise.

~~~
mszcz
Certainly seems that way. I didn't/don't have any mesh routers so I couldn't
tell but I image that the Google router thingy is way better software/security
wise (privacy being probably a seperate discussion in this particular case ;).
I've also read some good things about Ubiquiti here.

Anyhow I keep wondering how many beatings on the security front do those
companies need to take in order to figure out that, at the current landscape,
developing a decent, secure and clean firmware/frontend would give them a big
big edge over the competition.

------
callahad
If you're using Asuswrt-Merlin, looks like these fixes are only available in
the current 380.66 Beta builds: [https://github.com/RMerl/asuswrt-
merlin/blob/0e15da3404ccabb...](https://github.com/RMerl/asuswrt-
merlin/blob/0e15da3404ccabbf13509a911c7ddc4a5efa5461/Changelog.txt#L5)

~~~
reiichiroh
can you flash asuswrt-merlin over the default asus firmware?

~~~
msbarnett
Yes

~~~
reiichiroh
Thanks for confirming!

------
jacobsenscott
The usual wifi router security rules apply:

\- change the default password \- keep the firmware updated \- disable WPS. \-
If possible change the port the web interface is running on (don't use port 80
or 443) \- disable the web interface if you are command line savvy. \- disable
wifi access to the web interface (require ethernet)

~~~
gtdawg
And document these changes in written form taped to the router. Nothing like a
factory reset due to a lost password or obfuscated management port change.

------
vlod
Is it time to get a "grown-up" firewall for my home?

I'm currently using a standard Apple Time Machine as a firewall/router, but
with all this crap (crap router software/hack attempts/NSA shenanigans) going
on, thinking about putting something more serious in front of it (connected to
my broadband modem). Yeah.. I realize I'm sounding paranoid.. ;)

I'm thinking of Protectli's "Firewall Micro Appliance"
[https://www.amazon.com/dp/B01H2QJTM4](https://www.amazon.com/dp/B01H2QJTM4)

I believe it's FreeBSD and comes with pfSense. Thoughts?

~~~
blacksmith_tb
That looks like a very nice box, if a bit expensive. I have been quite happy
with my Mikrotik hAP AC[1], I run the dev previews so I get firmware updates
pretty much weekly (and at least for my home network, none of them have broken
anything, yet...) 1: [http://a.co/37wiiiM](http://a.co/37wiiiM)

~~~
sliken
I'd hope something like that would last years, and even today 100mbit is lower
than many network connections. I try to switch to the comcast plan that's the
best bang per $, and that's currently 200 mbit at my locale. The ubiquiti
seems similar, but has GigE.

------
acd
Routers should run open source software so vulnerabilities can be patched by
the community.

Routers manufacturers wants to push the latest hardware for profit. The only
reason router manufacturers want to patch security vulnerabilities is negative
press articles. Negative press would hurt future sales so its better to patch
the current product line. When current product line is no longer sold security
patches stops but the use of the device by its users Continues.

This is the reason we need to open source everything.

If it can be hacked it will be hacked.

------
mjevans
Looks like anyone using third party firmware (such as
[https://wiki.openwrt.org/toh/start](https://wiki.openwrt.org/toh/start) )
shouldn't be affected by the issues this advisory highlights.

~~~
qb45
Actually nowadays OpenWRT is LEDE, but there are talks about merging the
projects back as we speak.

[https://lede-project.org/about](https://lede-project.org/about)

And yes, I'm surprised there still are routers in the wild not running OpenWRT
:p

~~~
CharlesW
I'd consider it, but I'm generally happy with the Asuswrt-Merlin firmware, and
I can't find a resource that describes things like benefit, risks, and
functionality I might lose. Is there such a thing?

~~~
callahad
AFAIK, only the stock and Asuswrt-Merlin firmware builds support Broadcom's
proprietary acceleration (ctf.ko). On my RT-N66U, WAN throughput can hit 870
Mbps. Without it, I max out around 170 Mbps.

If there's a way to run OpenWRT / LEDE _and_ get gigabit speeds out of a
router, someone please let me know. :)

~~~
CharlesW
> _On my RT-N66U, WAN throughput can hit 870 Mbps. Without it, I max out
> around 170 Mbps._

Eeek! Thank you. :O)

------
tracker1
This is one thing that pisses me off, more about the FCC who requested the
routers be fully locked down... I used to buy all ASUS as before the change it
was very easy to get third party (Tomato) firmware on them that was updated
more regularly.

------
nigma
The 4G-AC55U router is also vulnerable but did not receive a security firmware
update (last firmware release was a year ago on 2016-05-20) and is not listed
on the page.

If you happen to be running this device you may want to apply precautionary
measures.

------
10165
Am I the only user who does _not_ want a web interface on a router?

~~~
cknight
I doubt it, but for consumer-grade devices that need to have sufficient mass-
market appeal, it's the logical choice.

------
michaelmcmillan
Why don't routers simply host their admin panels on a separate and secured
wireless network that is blocked from the internet? Although it sounds
impractical, it would render so many of these CSRF/XSS exploits useless.

~~~
bsamuels
because then the vast majority of users wouldn't know how to use it.

even if you include instructions you'll have a huge proportion of users who
will either return the device because they couldn't figure it out, or call
your support line and make your support overhead skyrocket

~~~
gervase
This is probably quite accurate. I doubt more than 20% of the population even
KNOWS that their router has a "configuration screen", much less how to access
it.

The biggest practical security upgrade for most users was when they started
randomizing SSIDs/passwords and printing them on stickers on the back of the
router.

------
lostmsu
I wonder why some routers are not listed as vulnerable (I have N65U)

------
busterarm
Title should have the word 'again' at the end.

------
tmaly
does this affect the asus black diamond router?

The web interface to update the firmware has never worked for me.

~~~
x_foo_x
Open the link and check for yourself...

~~~
tmaly
I did, there was no mention of specific models

~~~
Chilinot
There are, check the bottom of the page.

"Affected models include the following ASUS routers:

RT-AC55U RT-AC56R RT-AC56S RT-AC56U RT-AC66U RT-AC88U RT-AC66R RT-AC66U RT-
AC66W RT-AC68W RT-AC68P RT-AC68R RT-AC68U RT-AC87R RT-AC87U RT-AC51U RT-AC53U
RT-AC1900P RT-AC3100 RT-AC3200 RT-AC5300 RT-N11P RT-N12 (D1 version only)
RT-N12+ RT-N12E RT-N18U RT-N56U RT-N66R RT-N66U (B1 version only) RT-N66W"

