question about 2 routers

Discussion in 'other firewalls' started by lucd, Apr 17, 2019.

  1. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    78
    Location:
    Poland
    So I have 1 router from the ISP and I am using it just to forward traffic to my "security" router asus with AIprotection, which then connects multiple devices (DHCP on). The firmware is up to date , I was wondering since I scanned router with avast and it says port 9999 open even though I closed it down in the router settings (you have option to close the remote administrative connection with custom asus merlin firmware, so UDP port from inforsvr should be down), anyway my question is if my Asus router was hacked the ISP one would still need to be hacked (its a decent router with strong password)? The 9999 port is dangerous (looking at history) and I was attacked once with connection 9999. Best
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,431
    Location:
    U.S.A.
    Based on this:
    https://threatpost.com/asus-patches...s-haunting-over-a-dozen-router-models/129666/

    Asus routers use UDP port 9999 for internal purposes and as noted, it has been exploited in the past due to vulnerabilities in its designed use.
     
  3. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    78
    Location:
    Poland
    calling Asus to ask for help was an exercise in futility and that type of calls are funny don't they register calls for QA? it seamed like he wanted me to end the call the moment I asked about port 9999.
    my question is still unanswered since I don't fully understand how a double router setup works, if one is just forwarding traffic (The ISP one) to Asus (as AP), so in order for the hacker to get full benefit from getting hold of a router (say ASUS via port 9999) is to also hack the forwarding router from ISP? ) seams like "no", hopefully the latest modded firmware will stop the vulnerability (as I said there is the internal option with asus merlin to switch off and I did, but network scanning still shows port 9999 open)

    options: I'll sell that thing and move to pfsense as cheap pro solution, or I setup telnet with scripts on JFFS or I just leave the ISP one which also suck (its better than other ISPs though but has alot of CVEs on its own) but doesn't cut down traffic in half. Problem is I liked Asus routers but that CVE, so I don't want to spend too much (company level routers are very $$$) and yet have some router with less "coding errors" and decent firewall (I also like the idea of traffic analysis by AV on router level, apart privacy concerns its a cool thing) but I guess everything is subject to some "CVE discoveries" so the only good one would a mainteined one with updates
     
    Last edited: Apr 20, 2019
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,431
    Location:
    U.S.A.
    In the setup you have, the ISP router is forwarding all Internet traffic to your Asus router. That would include UDP port 9999 traffic.

    The issue is not so much that port 9999 is open on the WAN side of the router. The question is if the port 9999 is open on the LAN side of the Asus router. From the write-ups given on abuse of the Asus service utility, it appears that port 9999 is possibly open on the LAN side of the router. Now if the port is in a closed but not stealth mode, that is not as bad. The real question is if this Asus "infosvr" utility software is really needed? I have never heard of any router that requires Windows software to be installed to function properly. Worse is if it requires a Win root CA certificate to be installed. Of note, the recent supply chain attack against Asus update servers.
     
  5. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    78
    Location:
    Poland
    I don't have any Asus sofware installed on host and Asus is setup with DHCP, wifi traffic only to devices no LAN network, apart only for maintenance sometimes when I need to quick edit stuff in the GUI (with Internet off), my software FW is pretty decent and its all in VM plus "blockers", admin templates, SRP and such but I dunno what to make of asus and how badly can it hurt me in this situation
     
    Last edited: Apr 19, 2019
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,431
    Location:
    U.S.A.
    Then simple block any inbound UDP port 9999 traffic with a firewall rule and you're done with the issue. You can do so even using the Win firewall.
     
  7. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    78
    Location:
    Poland
    I understand I just don't like someone tampering freely with my router - can't DNS be spoofed in that case (I guess no since host takes precedence over router dns setting)? or imagine FW crashes on day due to some update or else:) anyway thanks for helping me
     
    Last edited: Apr 20, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.