AVM FRITZBox Broadband VDSL and ADSL Routers in Security Glitch

Owners of the German (AVM) made FRITZ!Box home broadband routers, specifically models 3272, 7272, 3370/3390/3490, 7312/7412, 7320/7330 SL, 736x SL and the 7490, should ensure that they have the latest firmware (v6.30 or newer) in order to fix a nasty security exploit.

FRITZ!Box routers have proven to be quite popular amongst more advanced users, not least due to their extensive feature sets. However the RedTeam Pentesting group has now published details of a security vulnerability that was first discovered last year (here), although it wasn’t made public until now in order to allow AVM time to fix the flaw.

Essentially the team “discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device.” The term buffer overflow essentially means an approach that allows an attacker to exploit the devices memory by pushing more data than it can hold, which may in turn give them access to exploit memory on a normally secure part of the router.

RedTeam Pentesting Statement

After successful exploitation, attackers gain root privileges on the attacked device. This allows attackers to eavesdrop on traffic and to initiate and receive arbitrary phone calls, if the device is configured for telephony. Furthermore, backdoors may be installed to allow persistent access to the device.

In order to exploit the vulnerability, attackers either need to be able to connect to the service directly, i.e. from the LAN, or indirectly via an attacker-controlled website, that is visited by a FRITZ!Box user. This website can exploit the vulnerability via cross-site request forgery, connecting to the service via the attacked user’s browser. Therefore, it is estimated that the vulnerability poses a high risk.

The good news, as separately noted by The Register, is that AVM’s routers actually firewall the affected service. So unless the owner has stupidly disabled the routers firewall then any attacker would have to be able to connect directly to the device locally (LAN), which rules out a remote Internet-based exploit.

According to AVM’s German website the latest firmware (v6.50) was officially (non-beta) released on 10th December 2015, although the English language page for their high-end FRITZ!Box 7490 router still shows v6.30 as being the most recent release (27th August 2015) and it’s a similar story for their other devices. Luckily v6.30 is believed to fix the problem, but if you have anything older then now would be a good time to update.