Mercusys MW305R TLS Certificate Private Key Disclosure Vulnerability

A vulnerability exists in the Mercusys MW305R router in versions through 3.30, allowing for the disclosure of the Transport Layer Security (TLS) certificate private key. This issue arises from a hard-coded private key stored in plaintext within the device's firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware, analyzing the binary data, and retrieving the private key. Successful exploitation could enable unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the affected device.

Impact

Exploitation of this vulnerability allows for the unauthorized disclosure of the TLS certificate private key, which could be used to decrypt sensitive data and conduct Man-in-the-Middle (MitM) attacks on the affected device.

Reproduction

To reproduce this vulnerability, download the firmware version DMW305R(EU)_V3.30_1.11.2 Build 241223 from the Mercusys website. After obtaining the firmware, use a tool like Binwalk to extract the contents of the firmware file. Once extracted, search for files with a '.pem' extension, which will reveal the private key and certificate files. The private key can be found in cleartext within the extracted files.