Dear Asus Router User: All Your Cloud Are Belong To Us 148
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
Asuswrt Merlin ROM did NOT take care of this (Score:3, Informative)
From Merlin himself:
http://forums.smallnetbuilder.... [smallnetbuilder.com]
He says disable aicloud and the ftpd for now.
Dear IT People (Score:5, Informative)
Dear IT People,
Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.
Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.
But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.
But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.
If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.
If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.
Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.
Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.
You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.
Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.
The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.
Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.
If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if any
Re:Open Source is better. (Score:5, Informative)
I've got an RT-AC66U myself and honestly I like tomato (shibby version) a hell of a lot better for it. Multiple reasons, but the biggest include:
The interface in DD-WRT is clunky; by that I mean they use a worse than MS Windows* style of individual fields for IP address octets so that you have to tab between fields instead of naturally typing it out in the dot notation like you do everywhere else; and if you change one setting that uses a refresh object it *very annoyingly* undoes any unsaved settings you may have made on that page. *(MS Windows is actually slightly better here because if you type in the dots it automatically moves to the next field, whereas DD-WRT does not, requiring you to tab instead, and if you make an error in a previous field you have to shift-tab and arrow to your mistake instead of simply hitting backspace.)
Tomato has really nifty links for doing things quickly. A beautiful example is like giving a MAC address a sticky dynamic IP address just requires a click, typing the IP address and desired hostname (for local DNS resolution if you desire) and then clicking save. With DD-WRT you have to go through numerous steps just to type in the MAC address.
DD-WRT's QoS functions, and its network monitoring and analysis functions are downright awful compared to tomato. Just straight up awful.
DD-WRT deliberately cripples certain features unless you pay for them (such as its QoS features, which even the paid version is worse than what Tomato offers for free.)
(Kind of hypocritical too because DD-WRT was originally built by a group that was tired of the Sveasoft guy hoarding his changes to the GPLed code to only those who paid him, but I don't count that against them because I'm more of a "I use what works" kind of guy.)
Then again I'm a hobbyist when it comes to networks, so I might have more stringent demands than anybody else.
The FEB-12-2014 firmware fixes N66 units (Score:5, Informative)
ASUS RT-N66U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.
Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Improved web UI performance.