ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers (bleepingcomputer.com) 24
A report from BleepingComputer notes that ASUS "has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices." But there's more bad news:
Taiwan's CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware upload vulnerability allowing unauthenticated, remote attackers to execute system commands on the device. The flaw impacts multiple ASUS router models, but not all will be getting security updates due to them having reached their end-of-life (EoL).
Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to manage and download files directly to a connected USB storage device via torrent, HTTP, or FTP. The newly released Download Master version 3.1.0.114 addresses five medium to high-severity issues concerning arbitrary file upload, OS command injection, buffer overflow, reflected XSS, and stored XSS problems.
Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to manage and download files directly to a connected USB storage device via torrent, HTTP, or FTP. The newly released Download Master version 3.1.0.114 addresses five medium to high-severity issues concerning arbitrary file upload, OS command injection, buffer overflow, reflected XSS, and stored XSS problems.
Re: (Score:2)
Re: (Score:3)
That totally depends. For medical devices and data, there is a law that the manufacturer must be able to support it for 15 years. I remember when I worked for a company working in healthcare, and the DVD was introduced, providing a huge amount of backup space more than the CDs they were using. The problem was: should we use +R or -R? Because their decision then would bind them for 15 years.
For the same reason, the company kept nearly 15 years old computers with nearly 15 years old operating systems to be ab
Re: (Score:2)
They could offer partial refunds if they don't want to update the firmware.
The way it works in the UK is if something breaks or becomes unfit for purpose (e.g. because it is insecure), the vendor (i.e the shop you bought it from) has to either fix it or offer a partial refund based on how long you would reasonably expect it to last.
ASUS routers are premium products, I think at least 10 years is reasonable for those.
Re: (Score:2)
They still patched the RT-AC68U which is 11 years old at this point.
Re: (Score:2)
For something like a router 5 years after EOS(end of sale) would likely reasonable. Right now I do not believe there is a big differences between EOS and EOL for ASUS. Picking a RT-AC56 (in that list, I have one). It is a AC router so still decent in 2024. It was released in July 2014. Nov 2018 was when ASUS put it on EOL (from merlin website). So that is 4 years from initial sale. Given a router typically has a longer life then 4 years (and that assumes you bought it at initial sale...not 18 months
Suspicious... (Score:2)
I have a router that is definitely not EOL and is very similar to one of the 7 on the list but no new updates for it... not feeling really awesome about this.
Re:Suspicious... (Score:5, Informative)
Re: (Score:2)
DD-WRT then
Re: (Score:2)
Re: (Score:1)
Shouldn't have bought one then.
Re: (Score:2)
I've considered that and used to run openwrt on a device years ago but it was annoying to admin at the time.
I suppose I should take another look and see if it supports my needs. I have a asus mesh to cover the weak/dead zones so it has to have a way to deal with that. Thanks for tip.
Re: (Score:2)
I would confirm that sentiment, It seems like OpenWRT is packed with functions once you get it setup but everything about it's interface feels a little... wonky to me, could be a learning curve thing on my part for sure but compared to DDWRT or PFSense or OPNSense those platforms just seem more intuitive to me.
Re:Suspicious... (Score:5, Insightful)
Look at the dates for the firmware fixes:
ZenWiFi XT8 3.0.0.4.388_24621 2024/03/19
ZenWiFi XT8 V2 3.0.0.4.388_24621 2024/03/19
RT-AX88U 3.0.0.4.388_24209 2024/03/29
RT-AX58U 3.0.0.4.388_24762 2024/04/12
RT-AX57 3.0.0.4.386_52303 2024/04/08
RT-AC86U 3.0.0.4.386_51925 2024/03/29
RT-AC68U 3.0.0.4.386_51685 2024/04/15
The article reads like this was fixed in a panic with new firmwares released now, but the first fix was March 19 and the last April 15.
Re: (Score:2)
Stop using toy routers (Score:1)
Either buy real network hardware from a serious manufacturer with proper support or, for the more budget conscious, just build your own with Linux. A low power, fanless mini-pc, with quad gigabit ports will cost you less than some of these modern toy routers, put a minimal install of Debian stable on it, and enable auto updates. You get way more power and flexibility, but no web-gui. Just done the first reinstall of mine since it was first setup (and largely untouched since) in 2017 - a few too many things
Re: (Score:3, Insightful)
None of this is at all practical for most people.
The blame lies entirely with ASUS. What we need is a way to notify affected users. Maybe we could have a service like Have I Been Pwned, but for hardware, where you can register your device. Maybe a mandatory QR code on the box that you scan and it sets up notification emails for you.
Also a clear, large font display of the EOL date, and a note that the device must be replaced after that date. Tax for every year less than 15 where there is no support, to cover
Re: (Score:2)
I agree totally of course since I have been running my network with PFSense and OPNSense for years now and it's great but at least on those BSD platforms one issue for the average user is a lack of any real WiFi support so to recomend it to people means they are going to have to transition to a split system with a seperate AP to manage. It's not the end of the world but that combined unit simplcitiy is appealing for your basic big-box router and non-technical user.
Is there Linux based hardware devices that
Re: (Score:2)
pfSense is probably a good option, I might have gone that was if it was Linux based. But with no BSD experience and thinking I might want to do other stuff on the router than just routing, I went with Linux. I assume pfSense gets good updates? OpenWRT runs on x68 as well, but their updates are a bit infrequent - though still better than usual consumer stuff.
Is there Linux based hardware devices that can do an all in one package like that for folks that want a single box to manage? Or can you drop in a network card and create your own AC/AX/BE networks?
My little box has internal wifi (I think usb attached though) but I didn't imagine it'd be up to the job. With a pcie card, probably necessitating a sli
Re: (Score:2)
I assume pfSense gets good updates? OpenWRT runs on x68 as well, but their updates are a bit infrequent - though still better than usual consumer stuff.
It does, just checking my router now and a June 17 major update is available (2.7.0), a primary reason I wanted to move to an x86 platform but as i mentioned pretty much everyone using anything BSD says the wifi support in general is pretty lacking. A few folks have made a single box solution but it's pretty"held together with duct tape and zip ties" type of software.
. I prefer separate APs though, especially as I need more than one
Absolutely agree, nothing but good things to say about my Ubiquiti AP but you know it's just not something that is as close to non-techie fri
pfSense (Score:2)
pfSense is probably a good option, I might have gone that was if it was Linux based. But with no BSD experience and thinking I might want to do other stuff on the router than just routing, I went with Linux. I assume pfSense gets good updates?
I'm a pretty avid user of pfSense, particularly for dual-WAN setups. Although I do feel less manly for not hand-crafting my own pf.conf file, especially Henning Brauer referred to it as "pf non-sense" in response to a question I once asked him about it.
That being said, I think the graphical interface is quite nice. I like that I can temporarily disable a rule without deleting it, something I don't see in a lot of consumer-grade routers. For example, when renewing certificates from Let's Encrypt, I can tempo
Re: (Score:2)
I agree in the sense that I have done this, and am still running my self-built router. /etc). All up to date of course, and I love pampering it.
Now, I'm one of those insane people that run Gentoo on it, and haven't reinstalled since at least 2014 (oldest file in
Would I recommend anyone else do this? No way...
At best to fairly technical people I'd suggest to buy a mini-pc and install openWRT on it. But! openwrt lacks udev. So any hw configuration change will probably mess up network interfaces (renumbering a
Re: (Score:2)
What about people whose routers are provided by their ISP?