CVE-2022-46435

An attacker with a privileged network position (obtained via ARP spoofing, DNS spoofing, or similar techniques) can intercept the plain HTTP firmware upload and replace the user's legitimate firmware image with a crafted malicious image [ref_id=1]. The attacker modifies arbitrary bytes in the kernel (e.g., 4 bytes at offset 0x400–0x403) and recalculates the MD5 checksums in the firmware headers so that the modified image passes the device's checksum verification [ref_id=1]. Because the firmware delivery uses unencrypted HTTP and there is no cryptographic signature verification, the device accepts the tampered image and flashes it, resulting in arbitrary code execution or denial of service [ref_id=1].

The firmware update verification function `upgradeFirmware` (decompiled from the device's web server binary) validates the uploaded image by comparing MD5 checksums stored in the firmware headers against computed digests [ref_id=1]. The firmware image structure is [header, bootloader, header, kernel, rootfs], and each header contains an MD5 checksum used for integrity checking [ref_id=1]. No specific source file paths are provided in the advisory.

The advisory does not provide a vendor patch or fix commit [ref_id=1]. The recommended remediation would be to enforce cryptographically signed firmware images and to serve the firmware update interface and delivery over HTTPS to prevent man-in-the-middle tampering [ref_id=1]. Without these protections, an attacker who can intercept the HTTP traffic can trivially replace the firmware image and recalculate its checksums to bypass the existing MD5-based integrity check [ref_id=1].