The OpenWrt Project, an open-source initiative providing a Linux-based operating system for embedded devices, has pushed a critical patch to cover flaws that expose its firmware update server to malicious exploitation.
The vulnerability, tracked as CVE-2024-54143, affects the OpenWrt sysupgrade server and exposes users to potential risks of installing compromised firmware images.
An OpenWrt bulletin explains the problem:
“Due to the combination of command injection in the image builder and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes a hash collision.”
The maintainers documented two main issues:
- Command Injection in Imagebuilder — User-supplied package names are incorporated into `make` commands without proper sanitization, allowing malicious users to inject arbitrary commands into the build process. This results in the production of malicious firmware images signed with the legitimate build key.
- Truncated SHA-256 Hash Collisions — The request hashing mechanism truncates SHA-256 hashes to 12 characters, significantly reducing entropy and enabling attackers to generate collisions. Exploiting this allows a previously built malicious image to replace legitimate ones, compromising the artifact cache.
“Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds,” OpenWrt warned. “Attackers can compromise the build artifacts delivered via sysupgrade.openwrt.org, potentially leading to malicious firmware being installed during the attended firmware upgrade process.”
OpenWrt noted that an attacker needs the ability to submit build requests with crafted package lists. “No authentication is required to exploit these vulnerabilities. By injecting commands and causing hash collisions, attackers can serve malicious images in place of legitimate ones,” according to the advisory.
Although the possibility of compromised images is considered low, OpenWrt is advising users to perform an in-place upgrade to the same version of their firmware to eliminate any risk. Public and self-hosted ASU instances are being encouraged to apply the patches immediately to prevent future exploitation.
The project maintainers stressed that no official images from the downloads.openwrt.org were affected and said available build logs for other custom images were checked and nothing malicious was found.
Related: OpenWrt Informs Users of Forum Breach
Related: Remote Code Execution Vulnerability Patched in OpenWrt
Related: Dozens of RCE Vulnerabilities Impact Milesight Industrial Router
Related: PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability
