I do not see any new snapshot/rc/beta versions for the AR300M, AR300M16, AR750, or AR750S, where other models like the A1300 have been updated to 4.4.6, and have 4.5.0 in beta. Looking at the 4.5.0 release notes, it shows it fixes 10 known security issues. Are these security issues in 4.3.7, and are we at risk running 4.3.7?
Is firmware 4.3.7 the last version for these routers, or should we expect new versions of 4.x firmware for our routers that are still under support?
The release notes for firmware 4.3.7 for X750/XE300/etc list many vulnerabilities fixed.
The release notes for firmware 4.5.0 for A1300/AXT1800/etc list the same fixes.
But the release notes for firmware 4.3.7 for AR750S/AR300/etc does not list any vulnerability fixes.
Can anyone from GL-iNet confirm if those same vulnerabilities were fixed in firmware 4.3.7 for AR750S/AR300/etc?
These vulnerabilities were found and fixed after the release of firmware 4.3.7 for AR750S/AR300/etc, and fixed in firmwares released after about December 2023, such as 4.3.7 for X750/XE300/SFT1200, 4.5.0 for A1300/MT2500/MT3000/AX1800/AXT1800/X300B, and 4.4.4/4.4.5 for X3000/XE3000.
@fangzekun Thank you for this information. Since the security bugs are not fixed in firmware 4.3.7 for these products that are still under support, what are GL iNet’s recommended mitigations to protect our routers and home networks from the following open CVEs:
How much risk are we in from each of the above CVEs? Several of these are rated CRITICAL
@alzhao - As some of these products are still being sold and promoted by GL iNet, and there are a lot more Shadows and Mangos in use then many of your newer router models, why is firmware updates no longer a priority for these products?
CVE ratings are not really binding, you always have to check them against your own environment.
Critical is not necessarily critical, as I described above. You usually take these ratings and read through for yourself what the problem is - then you think about what the mitigation looks like or whether the criticality applies. In short, that’s what @alzhao already wrote.
It allows an attacker to easily gain access to a system without knowing a valid username and password. Addressing this vulnerability often requires redesigning the authentication mechanism of the system, avoiding hard-coding credentials in the code, and adopting more secure authentication methods, such as using hash password stores and salt values to protect user credentials.
You can look at the link to see that this attack is just a simple set of script-able curl commands. As I am on travel, and don’t have a spare GL iNet router to test with, I was not able to verify this CVE, so I am going on just what is documented.
As I don’t think many GL iNet router models, even including the relatively new A1300, has stable 4.5.x code released yet, there must be many GL iNet routers open to this attack, if they are on LAN networks that are not under your full control, or possibly have open WIFI access.
I will setup an iptable rule while I am waiting for GL iNet to eventually provide fixed firmware for all my supported routers. Sure would have been nice to know this weeks ago, without having to do so much digging.
Hopefully this firmware shows up before any more of my GL iNet routers get beyond their end of support dates, as I’m still disappointed that GL iNet never provided the promised 4.x software for my USB150s or N300, as firmware 2.1.6 seems to have the same CVEs. EOL/support policy for gl.inet products - #8 by yuxin.zou