Slashdot Mirror
Dear Asus Router User: All Your Cloud Are Belong To Us
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
Just install DD WRT and have done with it.
Is a text file. The average computer user will not go and dig through log files, nor they will go around on the internet reading everything about each vulnerability that is exposed everyday. Years ago I copy pasted a similar text file to computers on a neighbourhood network, letting them know those specific folders were exposed on the local network and also been given r/w permissions. I was (and somehow still am) a humble user, passionate about tech, but I can always appreciate the heads-up. Just did what I think I'd like done if I were to accidentally share something on the local network, since although it might not be sensitive at first, mistakes are made regularly.
WTF does a ROUTER need a hard drive? That just sounds like a disaster waiting to happen.
I don't have to worry about this, AT ALL, because the router only worked for 2.5 hours after installation before it died. so there!
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
http://www.itblow.com/featured...
You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?
Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.
...oh the irony.
I have a couple of the Asus routers, and I love them. One runs as an openvpn server, the other runs a few services to simplify remote administration of an offsite location. Good little boxes.
But, it has really opened my eyes as to how bad security can be. These systems are at least slightly more secure than the WD drives. Third party firmware adds some levels of complexity, but a whole lot of functionality.
Yes. Linux prevents it. Right. And what software do these routers run as their firmware? That's right, a customized version of Linux.
The best part about this, IMHO, is that my router reports that there is no new firmware. I was able to download it from ASUS and it installed successfully. But had I not seen this article, I would have kept on assuming that mine was the latest and greatest because that is what the router told me.
"a proprietary version of Linux."
I fixed that for you. You can't blame Linux in most cases, you blame the company who has exclusive access to the firmware and judgment of when and what to update.
So I try a random IP, paste it in my URL bar (specifying an old, insecure file transfer protocol) and bam next second I'm looking at a guy's medical files (an excel sheet with daily blood sugar levels, what he ate that day, and sometimes comments) and his tax returns. Looked at a few pics too.
Another IP doesn't work immediately, another has the server up but no shares, another has some music and I'm downloading some to try it out, hell I even curlftps'ed in for the sake of it and it works albeit slow. Aww fuck I can even write. Dropping a few music files into an unknown spanish speaking person's short music collection.
For once.. Don't read TFA! makes feel dirty.
I wonder what's so "white hat" about some of the information that is included.
From Merlin himself:
http://forums.smallnetbuilder....
He says disable aicloud and the ftpd for now.
Genuine thanks. I have one of these models in my office, where there's just a couple of us. Never even thought about it, as we don't use it for anything other than establishing PPPoE on ADSL. Turns out we had those features all turned on, too. No disks attached - but still.
I thought Asus router firmware was open source.
has ... judgment of when and what to update.
That's more the problem. As I understand it, the last DD-WRT vulnerability was fixed within hours (not that that'll do much good if people aren't keeping it up to date)
systemd is Roko's Basilisk.
It doesn't matter if it was fixed even before the flaw was found, if nobody applies the patches. Routers and other small devices are "deploy and forget". In the future when your toaster runs linux, do you really want to check & apply updates every hour? And what if the bleeding edge patch breaks the timer/thermo and it burns someone's house down? Laugh at them because the source was open and they could have checked/fixed the code themselves?
An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used
I wouldn't call that a nasty surprise. In fact, I would call it a welcome surprise since it doesn't seem like his files were messed with and he is now aware of a security hole which he can take measures to protect.
Dear IT People,
Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.
Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.
But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.
But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.
If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.
If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.
Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.
Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.
You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.
Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.
The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.
Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.
If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if any
Soylent News
Pretty sure the attack is on an Asus router which if i had to guess is running some unix variant...
not sure if you're trolling or what, but you really never know on slashdot.
That's why we moved already to Soylent News.
ASUS RT-N66U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.
Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Improved web UI performance.
Do it with a pogoplug. You can run debian (or allegedly BSD) from an SD card, it gets updated more than the various router firmwares, and you can get one with USB3 for $20 brand new.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Haven't checked into other routers, but the RT-N16 has a "warranty cap". There is a capacitor on the far right of the unit, roughly centered. It's clearly designed to fail after a period of time. The rest of the capacitors are a different brand that isn't generally known to fail, the warranty cap is known to be a defective make.
Normally it takes a bit longer than the actual warranty length to fail.
Give me a break. A vulnerability was disclosed, and then some time after that it was leveraged by attackers in the wild. This is what happens.
I'm using Bell Fibe in Canada, and they supply a Modem / Router solution. I believe that Rogers (other major ISP) provides similar technology. So for many people they would not have their own router / firewall as first line of defense, they'd have ISP-supplied equipment.
Is it common in Canada or the US for people to just get a WAN Modem / Driver from their ISP and then put their own router into place? Or worse, plug their laptop right into the Driver and hope that MS firewall will keep the wolves at bay?
For wireless, the Bell / Rogers solutions both suck ass, so I disabled wireless and bought a small office WAP to punch a signal through the house where needed (the rest of my stuff is hard-wired to the switch). I don't think that would be an entry point if the security is turned up enough, right?
I have a couple of D-Link DIR825-C1 units on my network, both with DD-WRT, one in client bridge mode and the other as my router. Both have been rock solid, and a worthy upgrade from my classic WRT54G boxes.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Kind of annoying that my RT-N66U STILL does not see this firmware when I tell it to check for updates, even though it was released 6 days ago.
Is it easy to recognize? It was still worth it to me to buy a second RT-N16, but I still have the failed one. Would love to resurrect it.
If you want local storage your better off with a server then setting something up through a router. Most router makers don't concern themselves with security as much as ease of setup. The other question will be, is how long will it take Asus to do a firmware revision to correct this if they can?
Did something similar to this once during college, we found a student on the campus network who had their entire computer shared with no password. We posted some text files on their desktop warning them of the issue and instructing them how to fix it. I think we even printed off the text file on their printer.
ClamXav on OS X reported a virus infection in one of the files in the archive: ASUSGATE/FTP-dirlist/75.183.112.181.dirlist: JAVA.Exploit.CVE_2012_1723 FOUND
I don't know exactly what to make of that, but be careful.
It'd probably take you less time to rip it open and find out than to wait for the reply, or even to find pictures in the fcc database
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I already had it open. I never figured it out. No obvious problems in there (no bulged caps), but it behaved just like a capacitor problem.
The description said that it was a different-brand cap on one side of the board all alone. You could probably have found it and desoldered it by now, if it's there. Could always be another rev of the same board, in which case any answer would be useless. If you can find your ass with both hands and a map and pour piss out of a boot with instructions printed on the heel, you're qualified to figure this one out on your OR.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"Have you checked if there's been newer releases of DD-WRT for your D-Link?"
It's next to impossible to know what DD-WRT version/build/release to install on anything.
The site posts binaries in what, 8 flavors, and then says 'read ALL of the wiki AND ALL OF THE PEACOCK THREAD before deciding what to install!!!'. The site's version selection tool is about guaranteed to give you bad advice, and the forums tell you "make sure you install the {Eko|Brainslayer} version but NOT THE LATEST NIGHTLY!!!" 'cuz apparently Eko and Brainslayer are really good guys and strong coders, though you'd have a hard time figuring who they are or if they're so good why the site doesn't host their magic binaries at the root.
DD-WRT is, no bones about it, awesome in many, many ways. But you have to be a very patient, determined geek to understand which version to try first. Once you get it installed and the lid nailed on, it doesn't give you the warm-and-fuzzies to think about finding a new version to update it with, especially because you have to wade through the misinformation again.
Howsabout this: if there's someone in charge over there, bless a series of builds for the Broadcom, and a series of builds for the other chipsets. And skip all the binaries linked in the forum, the wiki, the broken selection tool.
Just make it easy to know what to install. Not bricking your router is hard enough as it is.
I didn't have it open today - I had it open 6 months ago.
I misread on the brand part.
Why is this bother you so much?
It's people!
This firmware has been available for several days but if you go into your router and have it check for an update (and you are running the one from months ago like I was) it still says you are using the current version.
I'll NEVER buy another ASUS router again. Their routers get such good reviews. I think it's time to just start running pfsense in a VM on my linux box and just be done with it. Just use the wifi on these shitty routers for wireless lan access.
The way I did. Now, if you're not an experienced sysadmin, and want to use your Asus router for *anything* else, give up. I've got DD-WRT on mine, and it took months, for the simple reason that I wanted to use the router, as it advertised on the box, to serve a USB printer.
Calling Asus about the stock firmware, when I told them my printer, they told me, "oh, it servers printers, but not that printer, you should have checked what we support...." The box does *NOT* say "only supports some printers...."
So I went for DD-WRT. That's a disaster. The web site - after a month or so of screwing around on and off, I found someone who knew something, saying, IGNORE THE ROUTER DATABASE. You know, the first thing it tells you to use when you go to the DD-WRT home page? And the guy went on to say, that the d/b was out of date at best, and *wrong* at worst.
Then I got into the "help" forum. I've been in the field since before some of you were born... and I have *never* seen a project where folks talked about their "favorite build". !!! And one where one thing gets fixed in a build by one person, but something else breaks (regression tests? What are those?) And they have no formal releases, just some lead developers' builds.
I can't see how I can ever update the firmware, since I don't want to break what works...
So if you just want it as a router, or maybe even w/ QoS, DD-WRT ok. Otherwise, be prepared for a lot of grief (and you'll get real familiar with restoring the original firmware to start all over again).
mark
Hi all, it's an honor to be linked by /. as part of this story. I wanted to post to draw further attention to what has already been discussed here: it hasn't yet been confirmed that the fix from months ago addresses all vulnerabilities mentioned. As Eric, the author of the firmware stated, please ensure the AI Cloud and FTP services are disabled for now if using this firmware. I would further add (also already discussed here) that a better-safe-than-sorry approach is to stick to alternative software for "AI Cloud"/FTP solutions. For example, if I needed FTP, I'd rather use a much tested/hardened/known good dedicated FTP solution rather than one baked into any router.
Thanks!
Ditch the consumer router for firewalling and instead use an old pc with Moonwalk or Presence installed. Then to allow wireless access to the network just setup your consumer router to pass though the network access to Monowall/Pfsense and on out to the internet.
Yes, much better to install a new lock on said neighbor's door. Isn't that what those helpful ransomware people do?
Please see http://support.asus.com/download.aspx?SLanguage=en&m=RT-N66R&p=11&s=2&os=36&hashedid=yaPRqqZuiBsRlS5W for the latest upgrade; I just upgraded mine.
There does seem to be a defect in the firmware upgrade check utility as it doesn't see the upgraded version for some reason and reports the current version as the latest. Seen this before on this router as well as various Linksys and Netgear. Automated checks are a great idea if they're coded correctly...
Ciao!
Very easy, yes.. there's one that stands off on its own. I had 5 of them in service, they all died within the same month.