ASUS wireless router updates are vulnerable to a MITM attack

2014.10.29
Credit: David
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


Ogólna skala CVSS: 7.1/10
Znaczenie: 6.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Pełny
Wpływ na dostępność: Brak

The ASUS RT- series of wireless routers rely on an easily manipulated process to determine if a firmware update is available, and to retrieve the necessary update binary. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site. No HTTP = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit. In the link below I describe the issue in detail, and demonstrate a proof of concept through which I successfully caused an RT-AC66R to "upgrade" to an older firmware with known vulnerabilities. In concept it should also be possible to deliver a fully custom malicious firmware in the same manner. This applies to the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. It may also apply to the RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base but a different sub-version. This has been fixed as an undocumented feature of the 376 firmware branch (3.0.0.4.376.x). Details and POC: http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html

Referencje:

http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top