OpenWrt reports a critical flaw in sysupgrade enabling install of malicious firmware
Take action: If you are running OpenWrt router operating system, plan for a patch soon. The exploit is not obvious or immediate, but once attackers manage to poison the artifact cache, the attack will be very unpleasant and wide reaching. Patch soon.
Learn More
OpenWrt, the open-source Linux-based operating system, has disclosed and patched a critical security vulnerability in its sysupgrade server that could allow attackers to inject malicious firmware images into the system.
The vulnerability is tracked as CVE-2024-54143 (CVSS score 9.8) and stems from two distinct but interconnected issues in the system. The first is a command injection vulnerability in the Imagebuilder component, where user-supplied package names are incorporated into 'make' commands without proper sanitization. This flaw allows malicious users to inject arbitrary commands into the build process, potentially resulting in the creation of malicious firmware images that would be signed with legitimate build keys. The second issue involves truncated SHA-256 hash collisions, where the request hashing mechanism only uses 12 characters of the hash, significantly reducing its entropy and making it feasible for attackers to generate collisions.
By combining these flaws, attackers can exploit the reduced entropy to generate hash collisions, enabling them to serve previously built malicious images in place of legitimate ones. This allows for the "poisoning" of the artifact cache, ultimately leading to the delivery of compromised firmware images to unsuspecting users through the Attended SysUpgrade service.
This vulnerability affects users who rely on the attended firmware upgrade process, the firmware-selector.openwrt.org service, or CLI upgrade functionality. While OpenWrt has characterized the risk of attacks as low, they urged immediate application of the released patches since the potential impact of successful exploitation is severe.
