I bought two brand new routers (GL-SF1200) this week and I was shocked to find it runs OpenWRT 18.06
Does this mean my router is vulnerable to this and other (CVEs) security vulnerabilities?
This post is from over a year ago but if I click ‘update’ it states I have the ‘latest’ version of the firmware. Please advise here.
Asus was penalized for shipping outdated vulnerable routers (Asusgate case) and not responding to vulnerabilities reported by the community.
I believed the incident cost Asus 150 million dollars in legalities and damages.
They settled the case in 2015 with the FTC and are now oblidged to have external security audits for each products and pay $16.000 for each individual security incident till 2036.
Maybe the FTC need to take a closer look into this as well so that it will be taken more seriously by Gl-iNet.
I was very disappointed when I noticed my routers where shipped with outdated version with known security vulnerabilities and a version that is no longer being maintained.
It is possible GL iNet fixed the Application issues. I don’t own a SF1200, but you could check a few of the Applications to see if they have been updated. You can do this in the GUI under APPLICATIONS → Plug-ins. I would start by looking at dnsmasq as it had multiple Security Advisory posted on the version running in 18.06. If it was updated to the same as being used in the GL iNet 3.212 firmware, running 19.07, the version should be:
dnsmasq-full 2.80-16.3
Indeed it runs the 2.80-16.3 version as well.
As covered many times on the forum, OpenWRT version does not say much. OpenWRT versions basically just dictate what features are included in the release, how the configuration files are set up and other infrastructure changes.
In Linux every part of the system can be updated independently. Kernel, programs etc, can be updated to newer versions than the main release had. GL have updated packages when vulnerabilities have been found, you can search the forums for that in the past.
If you find a program that you require hasn’t been updated, send an email to customer service and it will be updated for you.