There have been a couple of announcements over the last few days of a botnet made up of Asus routers. This seems to include a hardware-persistent backdoor.
Are Asus routers running OpenWrt vulnerable to this? If so, how can I patch my AX6000 or whatever?
I don't think OpenWRT is vulnerable. However, to run OpenWRT you need a OpenWRT compatible router.
If your router isn't supported by Openwrt, you need to check with Asus.
Noyhing to do with hardware.
asuswrt stores config in uboot environment, there is no other "disk" as reporters dream about.
in general vulnerable routers are asuswrt ones not patched for 2 years. And another reason to not browse nefarious sites while home server admin tab is open in same brrowser.
Which AX6000 is it anyway?
The TUF-AX6000 is supported here.
I've got OpenWrt 23.05.5, r24106-10cc5fcd00
running on an AX6000. The "factory" image install was a little iffy, but it worked.
Yeah, I'd like to know also now before flashing my ASUS TUF-AX6000 with OpenWRT....
But to note, my router will be behind an OPNSense firewall, so I don't think it will be so easy for someone to get in, unless they're connected to the wifi.
It's the dual-boot/dual-firmware partition.
Some people preserve it so they can revert to stock and this old firmware sticks around in case an update fails. It is triggered by, usually, 3 failed boots.
You can overwrite it with a known-working install of OpenWrt. If you have installed OpenWrt and then updated without taking steps to preserve this partition it was, most likely, overwritten with OpenWrt already.
Seems "get in" part is XSS, for that front firewalls dont matter. Evil connecting back would not work though.
Scan router ports from main LAN side:
nmap -p1-65535 -A 192.168.50.1
If any uncalled ssh is present reset your router to sticker/factory defaults before installing OpenWrt. 
OEM config bits , including "telemetry", "backdoors" and whatever else they have, will survive installing OpenWrt and reverting back.
why? skimmed the article but did not find anything about this. I would think this only matters if they exploit a vulnerability of the browser.
likely use basic functionality cf
https://samy.pl/webscan/
Does that require that a homeserver admin tab is open, though? I would think this would work anytime, unless you use something like the "Block Outsider Intrusion into LAN" blocklist in uBlock Origin.
Since I do, it just returns a list of all checked IPs.
I honestly dont understand why is it possible to do such network requests by default on any modern web browser because it can be very dangerous. Sure, finding a working IP this way may take some time, and the usable protocols are limited, but it is still bad. Like, websites can just connect to any port open on your computer, maybe even if its bound only to localhost! Jetbrains IDEs and some other things specifically listen for such connections so that their website can implement convenience features like plugin install from the jetbrains website, and maybe even worse things.
Thread is no longer on subject involving OpenWrt
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.