Edimax BR-6478AC & Others Multiple Vulnerabilites

From: mwinstead3790@gmail.com
To: bugtraq@securityfocus.com
Subject: Edimax BR-6478AC & Others Multiple Vulnerabilites

* Exploit Title: Edimax BR-6478AC & Others Mutiple root-level execution vulnerabilities
* Discovery Date: 2015/06
* Public Disclosure Date: 2015/12/06
* Vulnerability Author: Michael Winstead
* Vendor Homepage: http://www.edimax.com/edimax/global/
* Category: embedded routers

Multiple authenticated web requests to the administrative webapp on the Edimax BR-6478AC and
other Edimax routers may allow an attacker root-level access to the underlying system. Additional
exploitation vector of non-cryptographically protected automatic updates could allow for an
"Evilgrade" style attack on a target. 

Write-up and communications log may be found at:

2015/6/7 - Vendor notified via email
2015/8/20 - Vendor agrees to patch devices
2015/10/14 - Vendor releases patches
2015/11/24 - Coordinate with CERT for public release
2015/12/6 - Public vulnerability release

Update the following Edimax WiFi devices to at least the following versions:

1. BR-6478AC v2.20
2. BR-6208AC v1.28
3. BR-6288ACL v1.10
4. BR-6228nS_v2 v1.22
5. BR-6228nC_v2 v1.22
6. BR-6428nS_v2 v1.16
7. BR-6428nC v1.16

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.