Fuck, I just bought one
I literally took delivery and plugged my shiny new Asus router in at home yesterday, even downloaded the firmware update, which I now learn is useless.
ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says. The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks. Drake wrote in an advisory that several popular models were …
And which side of the router would the PC executing an email attachment or malicious download be on?
It wouldn't be the first time a lan side vulnerability was exploited by an internet source. Given how many routers Asus sell and how unlikely most will be updated thinking your safe because it's lan side only sounds naive.
Then again those most likely to run email attachments or unprotected pcs won't do anything about firmware updates or understand firewall rules. This could get messy...
Try using Merlin's firmware. It's a lightly modified version of the stock firmware, and he patched this bug this morning.
Been running beautifully on my RT-AC66U for several months now.
I have one but allways felt a little suspect of it so used a Mikrotik more of the time (also cheaper to run and replace when electrical storms about).
Wonder if Merlin's firmware or DD-WRT are completely clean on that?
Merlin's was quite heavily related to the base firmware (or was it the other way round).
(http://asuswrt.lostrealm.ca/changelog)
Where Merlin goes, Asus follows - he contributes a lot of enhancements and bugfixes back to Asus.
Powernumpty's post refers to the AsusWRT-Merlin Changelog, lo and behold:
376.49_5 (9-Jan-2015)
- FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)
- FIXED: Additional security issue in infosvr (incorrect memcpy()
call) (Asus bug)
ASUS routers are actually pretty good. This is the first security issue I've heard of with their firmware, and the admin UI is pretty easy to use (especially in the higher-spec devices). They could do with improving the Parental Control features, but otherwise a big thumbs up from me.
3.0.0.376_1071 is indicated on my router as being the latest version and this was not released in the last few hours. I've had it on the router for several weeks. I suspect you still have the vulnerability.
Interestingly the ASUS website lists newer builds. See http://support.asus.com/download.aspx?slanguage=en&m=RT-N66U+%28VER.B1%29&os=8 for details. In don't know why the router doesn't find these for itself.