AC-1900 Router: Patch Available for Security Vulnerability?

magentaco

    Hi T-Mobile!

     

    I have a T-Mobile AC-1900 router with Firmware Version:3.0.0.4.376_3181.

     

    Security researches identified 2 vulnerabilities (CVE-2018-5999 and CVE-2018-6000) which, when combined, allow for Remote Code Execution from within the LAN network. Essentially, anyone on your local network (even on a separated guest network) can do anything they want to the affected ASUS routers, including RT-AC86U routers with Firmware versions below 3.0.0.4.384_10007.

     

    I wanted to confirm:

    1. If the AC-1900 is affected by these vulnerabilities (I assume it is)
    2. If so, when T-Mobile will be offering firmware upgrades

     

    A news article on this topic can be seen at: https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/

     

    Links to CVEs:

    NVD - CVE-2018-5999

    NVD - CVE-2018-6000

      All replies

      • dragon1562

        T-mobile is not the one that creates the updates. It would be Asus I believe. The router itself is pretty old thus I would not get my hopes up for anything speedy. However, this is just a educated guess based on experiences I have had in the past.

        1 of 1 people found this helpful
        • tmo_amanda

          Hey, magentaco!

           

          Welcome to our Support Community! This was a hot topic a few months ago around here and I think you may find some helpful information in the mega post here:TM-AC1900 and KRACK WiFi vulnerability that answers both of your questions. It also has a few user recommended work-arounds.

          1 of 1 people found this helpful
          • magentaco

            For anyone who stumbles across this, I wanted to highlight that this is once again a totally separate issue from the "KRACK" attack, and unlike KRACK, this router is definitely vulnerable.

             

            I have flashed my router to using ASUS standard firmware so I can now update to the latest patches ASUS releases for their usual product line and I am now safe from the above vulnerabilities.

             

            Anyone who has NOT flashed their device, I would strongly recommend you do. And if you can't (or can't replace the router), at the very least I would recommend turning off any guest network / passwordless access to any part of your network, as an attacker can attack from anywhere that has access to your router.

             

            Good luck!

            1 of 1 people found this helpful
            • scottjd

              The reason T-Mobile was able to sell these at cheaper cost, give them away in certain use cases for some customers is because they would have had to agree to support the router. Supporting it also means the firmware update, that’s why T-Mobiles name is on it. This is not Asus;s job to fix this vulnerability. I won the same Asus RT-AC68U (same hardware) router and it was fixed a log time ago woth plenty  of firmware updated in between.

              Asus’s hardware version of this router is still supported, is still sold for new at $130 USD, and is one of the most stable and best WiFi routers I’ve owned, even more stable of you run merlins firmware on it and it doesn’t voice the warranty with Asus. Asus has recommended installing other firmwares for some people.

               

              This is a big vulnerability, remote bots being installed on routers and affected all the routers. The mega thread they keep referring to is no longer accessible.

              Is T-Mobile just washing your hands and waking away saying it’s not supported now? Personally opinion, like andriod devices it’s up to the manufacture to update andriod and most don’t. This method of doing software updates should never had happened. In the IT world a end of support date is usually announced a year in advanced giving people notice they will need to buy a new one.

               

              My ideas to help you to take some responsibility (but mainly help others and close this security issue).

              1. Pay Asus to release a firmware that will turn this into s normal RT-AC68U WiFi router so people can securily use it with the new 4G-LTE range extenders you now offer.

               

              Side Note: I don’t know what kind of discount you got from Asus to support this yourself in the contract, or how much you would have to pay Asus to take back support of this router? But it seems apparently obvious you don’t have the team with the skill to fix this or release a firmware update to patch this security issue, or you just don’t care.  I didn’t think I was signing up for an AT&T account?

               

              2. Pay Merlin to create a firmware update for the TM-AC1900 with the patch firmthe vulnerability. His firmware is also more stable then the Asus firmware Most times. You can give him the rules for QOS so VoIP is still priority for the bandwidth needed if people don’t want to install another device like the 4G-LTE extender. Merlin can do this because all the code used is open source, but it will not have the AIMesh ability since this is closed code thay Asus created.

               

              Release the rules that were used in the QOS so some people can change the firmware themself and apply these rules and continue to use VoIP with the phone security and start getting firmware updates from Asus or Merlin.

               

              Heck , maybe I will even make a video showing people how to do this, just ship me one or two old TM-AC1900 routers and give me the list of rules used for QOS VoIP. On second thought, if I have two of these TM-AC1900 I can get the rules from the NVRAM, but it would be easier if you just gave me the rules.

               

              I’m 98% sure I can even make a simple firmware update to the Merlin version. I might need to email him for his permission to fork his firmware and add these optional VoIP rules, but he might decide because of the risk that we should create a custom firmware for this and fix your problem by not taking responsibility for this issue. This may be against your contract with Asus, but I’m not bound to this contract and and the code is open source.

               

              Even devices that are no longer supported like my 12yr old NetGear NAS still will get security patches if it’s a big vulnerability like this.

              Email me, contact me. I’ll help you get this fixed and after the fix it will be supported with another firmware that is still supporting the router with future firmware updates, or at least security updates.

               

              A little about me, retired network cyber security engineer and forensics investigations for 15+ years. So yes, I think ignoring this is nkt a good solution at all And puts a lot of people’s wifi at risk almkng with personal data, and the router being hijacked and used as a bot in part of a botnet to join attacks DDoS (denial of service) atracked on other networks. And these people don’t even know this, may not even be aware of this vulnerability or the fact that the router YOU gave them could be used for malicious attacks.

               

              I’m serious, contac tme about this please,

              Scott

               

              Edit: Spell check error and one more idea added about the QOS rules.