More Asus vulnerabilities https://arstechnica.com/security/2024/06/high-severity-vulnerabilities-affect-a-wide-range-of-asus-router-models/ A few of the major points: The most critical vulnerability, tracked as CVE-2024-3080 is an authentication bypass flaw that can allow remote attackers to log into a device without...

[Superhands]

https://arstechnica.com/security/2024/06/high-severity-vulnerabilities-affect-a-wide-range-of-asus-router-models/

A few of the major points:

The most critical vulnerability, tracked as CVE-2024-3080 is an authentication bypass flaw that can allow remote attackers to log into a device without authentication. The vulnerability, according to the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), carries a severity rating of 9.8 out of 10.
…
A second vulnerability tracked as CVE-2024-3079 affects the same router models. It stems from a buffer overflow flaw and allows remote hackers who have already obtained administrative access to an affected router to execute commands.
TWCERT/CC is warning of a third vulnerability affecting various Asus router models. It’s tracked as CVE-2024-3912 and can allow remote hackers to execute commands with no user authentication required.
…
Asus has advised all router owners to regularly check their devices to ensure they’re running the latest available firmware. The company also recommended users set a separate password from the wireless network and router-administration page. Additionally, passwords should be strong, meaning 11 or more characters that are unique and randomly generated. Asus also recommended users disable any services that can be reached from the Internet, including remote access from the WAN, port forwarding, DDNS, VPN server, DMZ, and port trigger.

The list of affected devices is available in the article, along with relevant links. For those devices that are now unspported, it looks like replacement is the only option officially available

 

once again though I see the dsl-ax82u missed off the list of updates, whose last update was close on a year ago now. They’re really dropping the ball on keeping these devices up to date, really not good enough

Share the knowledge

You need to login in order to vote

[UK Sentinel]

I will check with ASUS to see if the DSL-AX82U is infact impacted via  CVE-2024-3080, CVE-2024-3079 and CVE-2024-3912.

 

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Superhands]

Thanks  please pass on they need to pull their fingers out keeping their dsl devices up to date, they practically abandon them versus their rt- counterparts :/

Share the knowledge

• This reply was modified 1 year, 10 months ago by Superhands.

Liked by:

You need to login in order to vote

[UK Sentinel]

I will

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

As an update, ASUS have come back to me and explained that the ASUS DSL-AX82U is susceptible to these two Critical Vulnerabilities.

CVE-2024-3080, CVE-2024-3079

ASUS also have said new DSL-AX82U firmware has now been verified and should be released shortly.

If nothing hits the ASUS download servers by Monday next week, I will chase ASUS again (If I remember)

 

 

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Superhands]

Awesome thanks it really is bad though how infrequently they patch these dsl devices, especially given they are the direct gateway to the internet. AND they always seem to exclude off the press release for vulnerabilities (not the first time it’s happened) . Doesn’t really give you a lot of confidence in buying their products

Share the knowledge

• This reply was modified 1 year, 9 months ago by Superhands.

Liked by:

You need to login in order to vote

[UK Sentinel]

It is a challenge and always has been, alas many manufactures including ASUS sell more Routers than Modem/Routers combo’s, so as a result DSL devices are less of a priority.

It is good that ‘we’ keep nagging ASUS for updates and fixes for their DSL appliances

 

 

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Superhands]

Fingers crossed Openreach will hurry up and deploy fibre sometime so I can get shot of the dsl one and have a regular router in that case. They’re taking their sweet time about it though and Virgin aren’t interested :/

Share the knowledge

Liked by:

You need to login in order to vote

[UK Sentinel]

I Ditto that for my area also

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

New ASUS DSL-AX82U Firmware version 3.0.0.4.388_24894

Version 3.0.0.4.388_24894

2024/06/21

 

Security Fixes and Improvements:
– Update dnsmasq to 2.90.
– Update dropbear to 2022.82 and fix CVE-2023-48795.
– Update StrongSwan to 5.9.13.
– Fixed the vulnerability in eapd.
– Fixed the vulnerability in httpd.
– Fixed CVE-2024-0401.
– Fixed AiCloud related issues.

Bug Fixes and Improvements:
– Added device binding support of the first guest network.
– Added WireGuard client MTU option.
– Added Xiaomi phone USB tethering support.
– Added IPv6 Access restriction rules (Web/SSH/Telnet) support.
– Added DDNS services FreeDNS and FreeMyIP support.
– Added IPv6 information in NetworkMap.
– Added IPv6 addresses for the client of WireGuard server if enable IPv6.
– Added Samba IPv6 support.
– Added the edit mode for DHCP server Manual Assignment.
– Updated the generation and usage of Router certificate.
– Updated to support 50 IGMP member.
– Updated Privacy Policy and EULA.
– Fixed the client cannot access network if OpenVPN server setting with TAP + DHCP.
– Fixed time zone ‘Saint Pierre, Miquelon’ with DST settings.
– Fixed getting IPv6 address from WAN if setting Bridge service.
– Fixed the issue of removing iPhone’s first interface.
– Fixed DDNS issue and enhanced the control flow.
– Fixed disable and enable WireGUard server sometimes cause the router reboot.
– Fixed cannot access WireGuard Server if enable DMZ.
– Fixed AiMesh related issues.
– Fixed Network Server Filter apply failed.
– Fixed client status of wireguard server sometimes be incorrect.
– Fixed Dual WAN load-balance issue when both of WAN are “Static IP”.
– Fixed router LAN devices configured using specific WAN when enabled Load Balance, client of VPN server could not access those LAN devices.
– Fixed adding two or greater online mode rules for a day, the client cannot access internet in online period.
– Fixed zone issue.
– Fixed sometimes continuous feedback and then reboot issue.
– Fixed getting IPv6 address from the server on no vlan interface even enable 802.1Q.
– Fixed Parental Control issues.
– Fixed OpenVPN server not show IPv6 settings correctly with new RWD UI.
– Fixed telnet server terminated periodically if IPv6 enabled.
– Fixed LED related issue.
– Fixed VPN FUSION IPv6 default connection not changed if setting Internet Connection as default connection.

https://www.asus.com/uk/networking-iot-servers/modem-routers/all-series/dsl-ax82u/helpdesk_bios?model2Name=DSL-AX82U

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

I have emailed ASUS and asked them regarding CVE-2024-3080 and CVE-2024-3079 ?

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Superhands]

Quite a poor effort on their part seeing as it doesn’t cover those CVEs.

And seeing it’s been almost a year since the last one, disappointing to see it’s still on 3.0.0.4 and they haven’t looked to update it to the current major version of asuswrt.

Have updated anyway for now but hopefully they have more in the works?

Share the knowledge

You need to login in order to vote

[UK Sentinel]

3.0.0.6 builds (ASUSWRT 5.0) are for Pro models and GT-AX6000 only I believe.

I assume GT-BE98 and similar will use 3.0.0.6 builds, RT-AX86U and RT-AX68U and similar will be stuck on 3.0.0.4 builds at least for now.

 

https://routerkb.asuscomm.com/?page_id=14282&lang=en

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

I have spoke with ASUS and they say, ‘This version includes CVE-2024-3080, CVE-2024-3079’.

It is just that the change log does not always capture all changes for various reasons.

—–

This version includes  CVE-2024-3080, CVE-2024-3079.

—–

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Superhands]

Nice one, thanks for following it up. Hopefully they don’t leave it until 2025 to update it again

Share the knowledge

• This reply was modified 1 year, 9 months ago by Superhands.

Liked by:

You need to login in order to vote

[Author]

Posts