Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Vulnerability Found in Firmware Update Process of ASUS Routers

A researcher has identified a flaw that can be exploited to trick certain ASUS wireless routers into updating their firmware to old or potentially malicious versions.

A researcher has identified a flaw that can be exploited to trick certain ASUS wireless routers into updating their firmware to old or potentially malicious versions.

In a blog post published on Tuesday, security researcher David Longenecker revealed that ASUS routers of the RT series are plagued by the flaw, which has been assigned the CVE identifier CVE-2014-2718.

The list of affected devices includes RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, and RT-N56U. However, according to the expert, RT-N53, RT-N14U, RT-N16 and RT-N16R could also be impacted since they use the same firmware base.

When ASUS RT routers check for firmware updates, they download a file from http://dlcdnet.asus.com, which tells the device the version of the latest firmware. Then, the actual firmware, matching the version determined in the first part of the process, is downloaded from the same domain.

The problem, according to Longenecker, is that both files are downloaded over HTTP, without being encrypted. This enables a malicious actor to get the router to download an arbitrary file from his own server through a man-in-the-middle (MitM) attack.

“No HTTPS = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit,” Longenecker explained.

In the attack scenario detailed by the researcher, the attacker downloads the file containing the version of the latest firmware update from the ASUS website. Then, he changes the version of the latest update, and uploads the file to his own server. The attacker renames his own firmware to match the naming convention used by ASUS for updates, and uploads the file to his server. The key is to upload both files to a path that’s the same as the one on the legitimate ASUS domain, the expert said.

When the router checks for a firmware update, the attacker launches a MitM attack and tells the device that the dlcdnet.asus.com address actually goes to his own server. This can be done by adding a static host to the “hosts” file, or by poisoning the DNS configuration on the router.

Advertisement. Scroll to continue reading.

In his tests, the researcher hasn’t managed to get the router to update to a rogue version of the firmware due to file integrity checks put in place by ASUS. However, Longenecker believes the integrity check could possibly be bypassed by modifying a legitimate binary in a way that the upgrader would accept.

On the other hand, the researcher has demonstrated that an attacker can simply trick the router into installing an older, vulnerable version of the firmware, instead of the latest release.

The vulnerability was reported to ASUS and the company fixed it silently with the release of version 3.0.0.4.376.1123.

“The new design incorporates a signed checksum downloaded from the ASUS web site, which is verified using the public key on the router. Without the private key, an attacker cannot sign a checksum in such a way that the router would accept it,” Longenecker said. “A MITM attack could still show a new firmware as available, or prevent the router from seeing a legitimate new firmware, but an attacker can no longer induce the router to install a fake firmware. I strongly suggest installing this update as soon as possible.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.