CVE-2022-46912

An attacker with a privileged network position (obtained via ARP spoofing, DNS spoofing, or similar techniques) can intercept the plain HTTP firmware delivery and replace the user-uploaded firmware image with a crafted malicious image. The attacker modifies arbitrary bytes in the kernel (e.g., 4 bytes at offset 0x700–0x703) and recalculates the MD5 checksums in the firmware header to match the modified content. Because the firmware update process only verifies MD5 checksums and does not perform cryptographic signature verification, the crafted image passes the `md5_verify_digest` check and is flashed onto the device, resulting in arbitrary code execution or denial-of-service [ref_id=1].

The vulnerability resides in the firmware update function `upgradeFirmware` (decompiled pseudocode provided in the advisory). This function performs an MD5 checksum comparison to verify firmware integrity but does not enforce cryptographic signature verification. The firmware image structure is [header, bootloader, header, kernel, rootfs], with each header containing an MD5 checksum used for integrity checking [ref_id=1].

The advisory does not provide a vendor patch or remediation commit. It identifies that the root cause is the lack of cryptographic signature verification for firmware images and the use of unencrypted HTTP for firmware delivery. The recommended fix would be to implement cryptographic signature verification (e.g., RSA or ECDSA signing) of the firmware image and to serve firmware updates over HTTPS to prevent man-in-the-middle tampering. As of the advisory's publication, no fix has been released for the affected firmware version 3.13.9 and earlier [ref_id=1].