OpenWrt: Attackers could have infected certain images with malicious code
Due to a bug, OpenWrt images prepared with malicious code could have come into circulation. The security problem has now been solved.
(Image: Balefire / Shutterstock.com)
A"critical" vulnerability in OpenWrt's SysUpgrade server jeopardized the integrity of some firmware images. A security researcher discovered vulnerabilities in the build process. The OpenWrt developers have now closed the gap.
OpenWrt is an alternative Linux-based firmware for certain router models, among others. In a warning message, the developers write that a security researcher from Flat Security has discovered the vulnerability (CVE-2024-54143). The bug can be found in the SysUpgrade feature. This allows users to create new firmware images that adopt previously installed packages and settings with comparatively little effort and in a manageable amount of time.
Security problems
The security researcher states in a report that the sysupgrade.openwrt.org service runs in a container environment. Due to insufficient checks, attackers can insert their own code into images at this point using the "make" command. He also discovered that the service uses a SHA256 hash shortened to twelve digits for caching. Because the hash is thus limited to 48 bits, attackers can generate a hash collision using brute force attacks.
Videos by heise
According to the security researcher, the combination of these two factors enabled him to create a legitimate-looking but manipulated firmware image. If this is used to replace an official image in the context of the sysupgrade.openwrt.org service, users are unaware of this and their devices are compromised after installation.
The OpenWrt developers state that attackers do not need to be authenticated for this. However, the prerequisite is that they must be able to transmit build requests with manipulated package lists. What this means in detail and how such an attack could take place is not currently specified.
Securing devices
The developers assure us that they solved the security problem just a few hours after it was reported by the security researcher. They assume that no manipulated images have come into circulation. Nevertheless, users who have recently installed firmware created with SysUpgrade should perform an in-place upgrade of the same firmware version.
(des)
