Home
 » ISP News » 
Sponsored

AVM FRITZBox Broadband VDSL and ADSL Routers in Security Glitch

Tuesday, January 12th, 2016 (9:06 am) - Score 1,487

Owners of the German (AVM) made FRITZ!Box home broadband routers, specifically models 3272, 7272, 3370/3390/3490, 7312/7412, 7320/7330 SL, 736x SL and the 7490, should ensure that they have the latest firmware (v6.30 or newer) in order to fix a nasty security exploit.

FRITZ!Box routers have proven to be quite popular amongst more advanced users, not least due to their extensive feature sets. However the RedTeam Pentesting group has now published details of a security vulnerability that was first discovered last year (here), although it wasn’t made public until now in order to allow AVM time to fix the flaw.

Essentially the team “discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device.” The term buffer overflow essentially means an approach that allows an attacker to exploit the devices memory by pushing more data than it can hold, which may in turn give them access to exploit memory on a normally secure part of the router.

RedTeam Pentesting Statement

After successful exploitation, attackers gain root privileges on the attacked device. This allows attackers to eavesdrop on traffic and to initiate and receive arbitrary phone calls, if the device is configured for telephony. Furthermore, backdoors may be installed to allow persistent access to the device.

In order to exploit the vulnerability, attackers either need to be able to connect to the service directly, i.e. from the LAN, or indirectly via an attacker-controlled website, that is visited by a FRITZ!Box user. This website can exploit the vulnerability via cross-site request forgery, connecting to the service via the attacked user’s browser. Therefore, it is estimated that the vulnerability poses a high risk.

The good news, as separately noted by The Register, is that AVM’s routers actually firewall the affected service. So unless the owner has stupidly disabled the routers firewall then any attacker would have to be able to connect directly to the device locally (LAN), which rules out a remote Internet-based exploit.

According to AVM’s German website the latest firmware (v6.50) was officially (non-beta) released on 10th December 2015, although the English language page for their high-end FRITZ!Box 7490 router still shows v6.30 as being the most recent release (27th August 2015) and it’s a similar story for their other devices. Luckily v6.30 is believed to fix the problem, but if you have anything older then now would be a good time to update.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags:
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
2 Responses
  1. Captain_Cretin says:

    Is it true that any attempt to query a Fritzbox remotely gets the response “VE ASK ZE QVESTIONS!!!” ??

    .
    .
    .
    .
    .
    (Joke Alert)

    1. dragoneast says:

      That’s actually true, I have to go through a quiz when I access mine remotely, even with the correct login details (several of them).

      Seriously, though default settings allow the update of firmware security updates automatically, and mine was updated to the current v.6.30 several months ago.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £17.99
    Speed: 150Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00
    Speed: 158Mbps, Unlimited
    Gift: Promo code: BIGBANG
  • Virgin Media £27.00
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: Promo code: BIGBANG
  • Shell Energy £20.99
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £22.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
  • Plusnet £22.99
    Speed 36Mbps, Unlimited
    Gift: £75 Reward Card
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4204)
  2. BT (3181)
  3. Politics (2149)
  4. Building Digital UK (2042)
  5. Openreach (1995)
  6. FTTC (1931)
  7. Business (1866)
  8. Mobile Broadband (1630)
  9. Statistics (1525)
  10. 4G (1398)
  11. FTTH (1372)
  12. Virgin Media (1301)
  13. Ofcom Regulation (1251)
  14. Fibre Optic (1246)
  15. Wireless Internet (1244)
  16. Vodafone (940)
  17. 5G (923)
  18. EE (920)
  19. TalkTalk (832)
  20. Sky Broadband (795)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact