CVE-2014-2718

panhead20

Occasional Visitor
ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2718


Any plans to go to signed firmware?
 

RMerlin

Asuswrt-Merlin dev
ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2718


Any plans to go to signed firmware?

I don't support automatic online updates, so this doesn't apply to my firmware.

As for manual updates, I provide a SHA256 signature with each new release (previous releases provided an MD5 hash), so you can manually verify them. Hashes are posted on a totally separate location than the firmware themselves, so someone would have to hack both my Mediafire and SNB accounts to be able to falsify the published signatures.
 
Similar threads
Thread starter Title Forum Replies Date
Phantomski CVE-2021-20090 Vulnerability Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top