CVE-2014-2718

[panhead20]

ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2718


Any plans to go to signed firmware?

 

[RMerlin]

ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2718


Any plans to go to signed firmware?

I don't support automatic online updates, so this doesn't apply to my firmware.

As for manual updates, I provide a SHA256 signature with each new release (previous releases provided an MD5 hash), so you can manually verify them. Hashes are posted on a totally separate location than the firmware themselves, so someone would have to hack both my Mediafire and SNB accounts to be able to falsify the published signatures.