Sign-up

ID

VAR-201411-0483


CVE

CVE-2014-2718


TITLE

ASUS RT Series router firmware arbitrary code execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005239

DESCRIPTION

ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image. Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. ASUS RT-Series Wireless Routers is a wireless router device. There is a middleman security bypass vulnerability in ASUS RT Series Wireless Routers. An attacker can exploit a vulnerability to bypass certain restrictions and obtain sensitive information. The following products are affected: ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site. No HTTP = no assurance that the site on the other end is the legitimate ASUS web site, and no assurance that the firmware file and version lookup table have not been modified in transit. In the link below I describe the issue in detail, and demonstrate a proof of concept through which I successfully caused an RT-AC66R to "upgrade" to an older firmware with known vulnerabilities. In concept it should also be possible to deliver a fully custom malicious firmware in the same manner. This applies to the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. It may also apply to the RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base but a different sub-version. This has been fixed as an undocumented feature of the 376 firmware branch (3.0.0.4.376.x). Details and POC: http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html -- Regards, David Longenecker @dnlongen

Trust: 2.61

sources: NVD: CVE-2014-2718 // JVNDB: JVNDB-2014-005239 // CNVD: CNVD-2014-07699 // BID: 70791 // VULHUB: VHN-70657 // PACKETSTORM: 128904

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-07699

AFFECTED PRODUCTS

vendor:t mobilemodel:tm-ac1900scope:eqversion:3.0.0.4.376_3169

Trust: 1.6

vendor:asusmodel:rt seriesscope:lteversion:3.0.0.4.374.x

Trust: 1.0

vendor:asustek computermodel:rtscope:ltversion:3.0.0.4.376.x

Trust: 0.8

vendor:asusmodel:rt-series wireless routersscope: - version: -

Trust: 0.6

vendor:asusmodel:rt-n66uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n66rscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n56uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n56rscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n53scope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n16rscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n16scope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-n14uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-ac68uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-ac66uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-ac66rscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-ac56uscope:eqversion:0

Trust: 0.3

vendor:asusmodel:rt-ac56rscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2014-07699 // BID: 70791 // JVNDB: JVNDB-2014-005239 // CNNVD: CNNVD-201410-1415 // NVD: CVE-2014-2718

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2718
value: HIGH

Trust: 1.0

NVD: CVE-2014-2718
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-07699
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201410-1415
value: HIGH

Trust: 0.6

VULHUB: VHN-70657
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-2718
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-07699
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-70657
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-07699 // VULHUB: VHN-70657 // JVNDB: JVNDB-2014-005239 // CNNVD: CNNVD-201410-1415 // NVD: CVE-2014-2718

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-70657 // JVNDB: JVNDB-2014-005239 // NVD: CVE-2014-2718

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1415

TYPE

Design Error

Trust: 0.3

sources: BID: 70791

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005239

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-70657

PATCH
title:Top Pageurl:http://www.asus.com/jp/
Trust: 0.8
title:Cellspot router firmware update informationurl:https://support.t-mobile.com/docs/DOC-21994
Trust: 0.8
title:ASUS RT Series Wireless Routers patch for middleman security bypass vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/51508
Trust: 0.6
title:FW_RT_AC68U_30043763715url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54536
Trust: 0.6
title:FW_RT_AC68U_30043763626url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54537
Trust: 0.6
title:FW_RT_AC68U_30043761663url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54538
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-07699 // 
            
            
            
            JVNDB: JVNDB-2014-005239 // 
            
            
            
            CNNVD: CNNVD-201410-1415

EXTERNAL IDS
db:NVDid:CVE-2014-2718
Trust: 3.5
db:BIDid:70791
Trust: 2.6
db:PACKETSTORMid:128904
Trust: 1.8
db:JVNDBid:JVNDB-2014-005239
Trust: 0.8
db:CNNVDid:CNNVD-201410-1415
Trust: 0.7
db:CNVDid:CNVD-2014-07699
Trust: 0.6
db:XFid:98316
Trust: 0.6
db:VULHUBid:VHN-70657
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-07699 // 
            
            
            
            VULHUB: VHN-70657 // 
            
            
            
            BID: 70791 // 
            
            
            
            JVNDB: JVNDB-2014-005239 // 
            
            
            
            PACKETSTORM: 128904 // 
            
            
            
            CNNVD: CNNVD-201410-1415 // 
            
            
            
            NVD: CVE-2014-2718

REFERENCES
url:http://seclists.org/fulldisclosure/2014/oct/122
Trust: 2.5
url:http://www.securityfocus.com/bid/70791
Trust: 2.3
url:http://dnlongen.blogspot.com/2014/10/cve-2014-2718-asus-rt-mitm.html
Trust: 2.1
url:http://packetstormsecurity.com/files/128904/asus-router-man-in-the-middle.html
Trust: 1.7
url:https://support.t-mobile.com/docs/doc-21994
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98316
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2718
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2718
Trust: 0.8
url:http://dnlongen.blogspot.jp/2014/10/cve-2014-2718-asus-rt-mitm.html
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/98316
Trust: 0.6
url:http://www.asus.com/
Trust: 0.3
url:http://dlcdnet.asus.com,
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2718
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-07699 // 
            
            
            
            VULHUB: VHN-70657 // 
            
            
            
            BID: 70791 // 
            
            
            
            JVNDB: JVNDB-2014-005239 // 
            
            
            
            PACKETSTORM: 128904 // 
            
            
            
            CNNVD: CNNVD-201410-1415 // 
            
            
            
            NVD: CVE-2014-2718

CREDITS
David Longenecker
Trust: 1.0
sources:
            
            
            BID: 70791 // 
            
            
            
            PACKETSTORM: 128904 // 
            
            
            
            CNNVD: CNNVD-201410-1415

SOURCES
db:CNVDid:CNVD-2014-07699
db:VULHUBid:VHN-70657
db:BIDid:70791
db:JVNDBid:JVNDB-2014-005239
db:PACKETSTORMid:128904
db:CNNVDid:CNNVD-201410-1415
db:NVDid:CVE-2014-2718

LAST UPDATE DATE
2024-11-23T22:52:49.688000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-07699date:2014-10-31T00:00:00
db:VULHUBid:VHN-70657date:2017-08-29T00:00:00
db:BIDid:70791date:2014-10-28T00:00:00
db:JVNDBid:JVNDB-2014-005239date:2016-02-10T00:00:00
db:CNNVDid:CNNVD-201410-1415date:2014-11-05T00:00:00
db:NVDid:CVE-2014-2718date:2024-11-21T02:06:49.693

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-07699date:2014-10-31T00:00:00
db:VULHUBid:VHN-70657date:2014-11-04T00:00:00
db:BIDid:70791date:2014-10-28T00:00:00
db:JVNDBid:JVNDB-2014-005239date:2014-11-07T00:00:00
db:PACKETSTORMid:128904date:2014-10-29T12:11:11
db:CNNVDid:CNNVD-201410-1415date:2014-10-30T00:00:00
db:NVDid:CVE-2014-2718date:2014-11-04T22:55:06.417