Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Vulnerability Found in Firmware Update Process of ASUS Routers

A researcher has identified a flaw that can be exploited to trick certain ASUS wireless routers into updating their firmware to old or potentially malicious versions.

A researcher has identified a flaw that can be exploited to trick certain ASUS wireless routers into updating their firmware to old or potentially malicious versions.

In a blog post published on Tuesday, security researcher David Longenecker revealed that ASUS routers of the RT series are plagued by the flaw, which has been assigned the CVE identifier CVE-2014-2718.

The list of affected devices includes RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, and RT-N56U. However, according to the expert, RT-N53, RT-N14U, RT-N16 and RT-N16R could also be impacted since they use the same firmware base.

When ASUS RT routers check for firmware updates, they download a file from http://dlcdnet.asus.com, which tells the device the version of the latest firmware. Then, the actual firmware, matching the version determined in the first part of the process, is downloaded from the same domain.

The problem, according to Longenecker, is that both files are downloaded over HTTP, without being encrypted. This enables a malicious actor to get the router to download an arbitrary file from his own server through a man-in-the-middle (MitM) attack.

“No HTTPS = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit,” Longenecker explained.

In the attack scenario detailed by the researcher, the attacker downloads the file containing the version of the latest firmware update from the ASUS website. Then, he changes the version of the latest update, and uploads the file to his own server. The attacker renames his own firmware to match the naming convention used by ASUS for updates, and uploads the file to his server. The key is to upload both files to a path that’s the same as the one on the legitimate ASUS domain, the expert said.

When the router checks for a firmware update, the attacker launches a MitM attack and tells the device that the dlcdnet.asus.com address actually goes to his own server. This can be done by adding a static host to the “hosts” file, or by poisoning the DNS configuration on the router.

In his tests, the researcher hasn’t managed to get the router to update to a rogue version of the firmware due to file integrity checks put in place by ASUS. However, Longenecker believes the integrity check could possibly be bypassed by modifying a legitimate binary in a way that the upgrader would accept.

On the other hand, the researcher has demonstrated that an attacker can simply trick the router into installing an older, vulnerable version of the firmware, instead of the latest release.

The vulnerability was reported to ASUS and the company fixed it silently with the release of version 3.0.0.4.376.1123.

“The new design incorporates a signed checksum downloaded from the ASUS web site, which is verified using the public key on the router. Without the private key, an attacker cannot sign a checksum in such a way that the router would accept it,” Longenecker said. “A MITM attack could still show a new firmware as available, or prevent the router from seeing a legitimate new firmware, but an attacker can no longer induce the router to install a fake firmware. I strongly suggest installing this update as soon as possible.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.