A flaw can end up leveraged to deceive some ASUS wireless routers into updating their firmware to old or potentially malicious versions, a researcher said.
ASUS routers of the RT series suffer from the issue, which has the CVE identifier CVE-2014-2718, said security researcher David Longenecker in a blog post.
The list of affected devices includes RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, and RT-N56U. While not confirmed RT-N53, RT-N14U, RT-N16 and RT-N16R could also have an issue since they use the same firmware base, Longenecker said.
When ASUS RT routers check for firmware updates, they download a file from http://dlcdnet.asus.com, which tells the device the version of the latest firmware. Then, the actual firmware, matching the version determined in the first part of the process, downloads from the same domain.
The problem is both files end up downloaded over HTTP, without encryption, Longenecker said. This enables a malicious actor to get the router to download an arbitrary file from his own server through a man-in-the-middle (MitM) attack.
“No HTTPS = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit,” Longenecker said.
In the attack scenario detailed by the researcher, the attacker downloads the file containing the version of the latest firmware update from the ASUS website. Then, he changes the version of the latest update, and uploads the file to his own server. The attacker renames his own firmware to match the naming convention used by ASUS for updates, and uploads the file to his server. The key is to upload both files to a path that’s the same as the one on the legitimate ASUS domain, the expert said.
When the router checks for a firmware update, the attacker launches a MitM attack and tells the device the dlcdnet.asus.com address actually goes to his own server. This can occur by adding a static host to the “hosts” file, or by poisoning the DNS configuration on the router.
In his tests, the researcher did not get the router to update to a rogue version of the firmware due to file integrity checks put in place by ASUS. However, Longenecker believes the integrity check could end up bypassed by modifying a legitimate binary in a way the upgrader would accept.
Longenecker showed an attacker can simply trick the router into installing an older, vulnerable version of the firmware, instead of the latest release.
ASUS is aware of the vulnerability and it fixed it silently with the release of version 220.127.116.11.376.1123.
“The new design incorporates a signed checksum downloaded from the ASUS web site, which is verified using the public key on the router. Without the private key, an attacker cannot sign a checksum in such a way that the router would accept it,” Longenecker said. “A MITM attack could still show a new firmware as available, or prevent the router from seeing a legitimate new firmware, but an attacker can no longer induce the router to install a fake firmware. I strongly suggest installing this update as soon as possible.”