Security update to FRITZ!OS 7.57 (7.31) closes serious vulnerability

Posted on 2023-09-05 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]The Berlin-based German manufacturer of routers, AVM, has released its FRITZ.OS version 7.57 for eligible FRITZ!Box models on September 4, 2023. AVM only writes that this firmware update is a necessary stability and security update. It is therefore unclear which vulnerabilities has been fixed. The manufacturer intends to publish details at a later date, which might be related to the fact that not all FRITZ!Box models have been updated to the new firmware yet. Rumors in the internet says that a serious vulnerability has been deteced in FRITZ!Box 7590 models and attacks in the wild are observed. I have compiled what the Internet believes to know.

Advertising

Reports about a serious security vulnerability

Blog readers from Germany have informed me about the security update and send me a link to this Italian website where there is rumor of a serious vulnerability in the FRITZ!Box 7590 firmware. The website refers to a weekly newsletter from the Fibra Click forum (a translated version can be found here), where they talk about a serious security vulnerability discovered in the FRITZ!Box 7590.

The website speculates that the vulnerability should allow attackers to gain control of the device via port 443. This is said to be independent of whether a router service is suspended or set as forwarding to another device connected to the LAN. The vulnerability is also said to affect other models in the FRITZ.Box family.

The newsletter article cited by the website states that customers of various ISPs (including those outside Italy) are being attacked by hackers. Thus, the vulnerability is already being actively exploited. In this case, the hackers would change the PPP credentials for the Internet connection and the administrative credentials for FRITZ!OS, which would prevent users from accessing the FRITZ!Box settings. The only way to solve the problem would be to reset the device.

Information from AVM

The Fibra-Click forum mentions a press release from AVM stating that AVM is aware of cases where Internet access via PPPoE and/or login to the user interface of the FRITZ!Box 7590 is no longer possible. A quick search so far hasn't found anything in AVM's press section – a request to AVM's press department is out. According to the report, AVM is currently investigating the matter in detail. Which is currently known at AVM:

  • In all cases, it had been determined that remote access to the user interface of the FRITZ!Box via https was enabled, using the well-known https port 443.
  • In all cases, this https access was set up by the ISP for administration of the router
  • AVM is not aware of any FRITZ!Box models affected by the issue other than the FRITZ!Box 7590.

What AVM recommends end users do if they are affected by an attack and need to restore Internet access:

Advertising
  • Open in a browser on a device connected to FRITZ!Box.
  • If logging in with the FRITZ!Box password is possible, click on "Wizard" and then on "Internet" and follow the instructions.

If the login to the FRITZ!OS user interface is not possible, the FRITZ!Box must be reset to the factory settings. This can be done on the login page via the "Forgotten password" option (see). After the Internet connection has been restored, the FRITZ!Box should be updated to the current FRITZ!OS version.

Firmware updates for affected devices

The iPhone forum has taken the trouble to list the affected FRITZ!Box models and FRITZ!OS versions in more detail. AVM seems to have released FRITZ.OS 7.57 as well as FRITZ.OS 7.31 as a security update. Here is the list of updates for the respective models:

  • 3490: Ver. 7.31
  • 4040: Ver. 7.57
  • 4060: Ver. 7.57
  • 5490: Ver. 7.31
  • 5491: Ver. 7.31
  • 5530: Ver. 7.57
  • 5590: Ver. 7.57
  • 6590: Ver. 7.57
  • 6591: Ver. 7.57
  • 6660: Ver. 7.57
  • 6690: Ver. 7.57
  • 7362 SL: Ver. 7.14
  • 7430: Ver. 7.31
  • 7490: Ver. 7.57
  • 7510: Ver. 7.57
  • 7520 Typ A: Ver. 7.57
  • 7520 Typ B: Ver. 7.57
  • 7530: Ver. 7.57
  • 7530 AX: Ver. 7.57
  • 7560: Ver. 7.30
  • 7580: Ver. 7.30
  • 7581: Ver. 7.17
  • 7583: Ver. 7.57
  • 7590: Ver. 7.57
  • 7590 AX: Ver. 7.57

The relevant forum post also lists FRITZ!Boxes that have not yet received a security update. The FRITZ!Box models provided by cable providers are also likely to be a problem. According to our experience, these devices receive firmware updates quite late, as these are released by the cable providers.

A couple of hours ago I am offered the update to FRITZ!Os 7.57 for the FRITZ!Box 7590. Probably due to overload of the AVM servers, this wasn't downloaded and failed with an error message. I read that others also have had this behavior. Later I tried it again and the update installation went trough.

Advertising
This entry was posted in devices, Security, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).