GL-Inet GL-AXT1800 Firmware Downgrade Vulnerability

A firmware downgrade vulnerability has been identified in the OTA update functionality of the GL-Inet GL-AXT1800 router, specifically in version 4.7.0. This vulnerability allows an attacker to perform a man-in-the-middle (MitM) attack and downgrade the router's firmware by exploiting improper certificate validation during the update process. The issue arises because the router's upgrade mechanism can be manipulated to select an older, vulnerable firmware version, which could then be exploited to execute arbitrary code on the device.

Impact

Exploitation of this vulnerability could lead to unauthorized firmware downgrades, allowing attackers to revert the router to a version with known vulnerabilities that could be exploited for malicious purposes, such as executing arbitrary code.

Reproduction

To reproduce this vulnerability, intercept the router's HTTPS requests to the firmware update server. Modify the response of the 'list-sha256.txt' file to include a vulnerable firmware version with a higher version number, tricking the router into selecting it for an upgrade. Once the downgrade is complete, the router can be exploited using known vulnerabilities in the downgraded firmware.

Remediation

Users are advised to update to the patched version of the firmware, which is available on the GL-Inet website.