# Weak Firmware Integrity Check Vulnerability During Firmware Update in Ubiquiti airFiber AF2X Radio ## Affected Products: We have tested on **Ubiquiti airFiber AF2X Radio (firmware version: 3.2.2 and earlier)**. Also, we suspect it may also work on other models with similar firmware versions. ## Overview: The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification. A successful attack can either introduce a backdoor or malware to the device or make the device DoS. ## Details: When performing the firmware update, the data integrity of a new firmware is verified on the device based on the cyclic redundancy check (CRC) algorithm. Specifically, after unpacking the firmware image, there is a binary *fwupdate.real*, responsible for conducting firmware updates. From the decompiled code (see Fig. 1), the binary check the firmware integrity with CRC32, which can be easily bypassed. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates. Specifically, the attacker can craft a malicious firmware image with the same CRC32 value as the original firmware image. Then, he/she can replace the benign firmware image during the firmware update process via a MITM attack so that the malicious firmware image can be flashed into the device. ![](https://i.imgur.com/PxdFmTm.png) *Fig. 1. The decompiled firmware integrity check code during the firmware update.*