A researcher has identified a flaw that can be exploited to trick certain ASUS wireless routers into updating their firmware to old or potentially malicious versions.
In a blog post published on Tuesday, security researcher David Longenecker revealed that ASUS routers of the RT series are plagued by the flaw, which has been assigned the CVE identifier CVE-2014-2718.
The list of affected devices includes RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, and RT-N56U. However, according to the expert, RT-N53, RT-N14U, RT-N16 and RT-N16R could also be impacted since they use the same firmware base.
When ASUS RT routers check for firmware updates, they download a file from http://dlcdnet.asus.com, which tells the device the version of the latest firmware. Then, the actual firmware, matching the version determined in the first part of the process, is downloaded from the same domain.
The problem, according to Longenecker, is that both files are downloaded over HTTP, without being encrypted. This enables a malicious actor to get the router to download an arbitrary file from his own server through a man-in-the-middle (MitM) attack.
"No HTTPS = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit," Longenecker explained.
In the attack scenario detailed by the researcher, the attacker downloads the file containing the version of the latest firmware update from the ASUS website. Then, he changes the version of the latest update, and uploads the file to his own server. The attacker renames his own firmware to match the naming convention used by ASUS for updates, and uploads the file to his server. The key is to upload both files to a path that's the same as the one on the legitimate ASUS domain, the expert said.
When the router checks for a firmware update, the attacker launches a MitM attack and tells the device that the dlcdnet.asus.com address actually goes to his own server. This can be done by adding a static host to the "hosts" file, or by poisoning the DNS configuration on the router.
In his tests, the researcher hasn't managed to get the router to update to a rogue version of the firmware due to file integrity checks put in place by ASUS. However, Longenecker believes the integrity check could possibly be bypassed by modifying a legitimate binary in a way that the upgrader would accept.
On the other hand, the researcher has demonstrated that an attacker can simply trick the router into installing an older, vulnerable version of the firmware, instead of the latest release.
The vulnerability was reported to ASUS and the company fixed it silently with the release of version 18.104.22.168.376.1123.
"The new design incorporates a signed checksum downloaded from the ASUS web site, which is verified using the public key on the router. Without the private key, an attacker cannot sign a checksum in such a way that the router would accept it," Longenecker said. "A MITM attack could still show a new firmware as available, or prevent the router from seeing a legitimate new firmware, but an attacker can no longer induce the router to install a fake firmware. I strongly suggest installing this update as soon as possible."