CVE-2022-46914

An attacker with a privileged network position (obtained via ARP spoofing, DNS spoofing, or similar techniques) can intercept the firmware update traffic, which is transmitted over plain HTTP without cryptographic protection. The attacker replaces several bytes in the kernel portion of the firmware image with arbitrary bytes, recalculates the MD5 checksums, and updates the checksum fields in the firmware headers accordingly. During the firmware update process, the attacker replaces the user-uploaded legitimate firmware with this crafted malicious image. Because the device's verification only checks MD5 digests against the header values, the modified image passes validation and is flashed onto the device, resulting in arbitrary code execution or denial-of-service [ref_id=1].

The firmware update verification function `upgradeFirmware` (decompiled from the device's web server binary) validates the uploaded firmware image by comparing MD5 checksums stored in the firmware headers against computed digests. The firmware image structure is [header, bootloader, header, kernel, rootfs], with each header containing an MD5 checksum used for integrity verification [ref_id=1].

The advisory does not provide a vendor patch or fix. The researcher notes that the root cause is the lack of cryptographic protection during firmware delivery (plain HTTP) and the absence of digital signature verification on the firmware image itself. The recommended remediation would be to use HTTPS for firmware delivery and to implement cryptographic signature verification (e.g., RSA or ECDSA) on the firmware image so that any modification invalidates the signature regardless of MD5 checksum recalculation [ref_id=1].