Wavlink AC3000 Missing Authentication Vulnerability in Firmware Update Process

A vulnerability allowing arbitrary firmware updates exists in the Wavlink AC3000 router model M33A8.V5030.210505. This issue arises from the 'fw_check.sh' script, which lacks proper authentication and can be exploited by intercepting HTTP requests. Once the firmware update is triggered, the router automatically flashes the new firmware without any additional validation, creating a risk of unauthorized modifications or potentially harmful changes to the device's functionality.

Impact

Exploitation of this vulnerability allows for unauthorized firmware updates, which could lead to arbitrary code execution or modification of the device's behavior.

Reproduction

The vulnerability can be reproduced by performing a man-in-the-middle attack on the 'fw_check.sh' script, which is scheduled to run via cron. Intercept the HTTP requests made by the script to one of the firmware update URLs, and replace them with a URL pointing to a malicious firmware file. The script will download and install the firmware without any verification, effectively allowing the attacker to flash arbitrary firmware onto the device.

Remediation

Wavlink has acknowledged the vulnerability and is working on a patch, although no specific release date has been provided. Users are advised to monitor for updates from Wavlink.