David Longenecker revealed in his blog post that ASUS Wireless RT series Routers are vulnerable to Man-In-the-Middle attack as they download updates via HTTP without any encryption protocol.
The reported vulnerability is submitted as CVE-2014-2718. The affected routers are RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N56R, RT-N56U. According to the researcher, RT-N53, RT-N14U, RT-N16, RT-N16R can also be impacted by the flaw as well as they share the same firmware base but a different version.
During the Firmware Update process ASUS RT Routers download a file from http://dlcdnet.asus.com to check the latest version of the firmware. After that it downloads the the firmware matching the version number from the same website.
As if it downloads file over a HTTP, not HTTPS, it can't be assured that the file is being downloaded from a secured server. A attacker can easily manipulate both the list and firmware and force the Router to download it from his own server, performing a MitM Attack.
According to David, the attacker can download the file containing the latest firmware update from the ASUS Website. Then he changes the version of the latest update and reupload it to his own server. The attacker can rename his own firmware to match the naming convention used by ASUS for updates and uploads the file to his server.To make the attack successful, an attacker has to upload both the files in the same path as that's one on the legitimate ASUS Domain.
The Router can be fooled easily to download the latest firmware from attacker's own server by poisoning the DNS configuration of the router or by adding a static host to /etc/hosts. David demonstrated in his post that the router can be forced to download a older, vulnerable version of the firmware instead of the latest one.
David reported the vulnerability to ASUS and company fixes the issue by releasing the version 3.0.0.4.376.1123
David strongly suggests the ASUS Router Users to download the latest version directly from ASUS website not from Routers GUI.

0 comments:
Post a Comment