Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Critical OpenWrt Flaw Exposes Firmware Update Server to Exploitation

The CVE-2024-54143 vulnerability affects the OpenWrt sysupgrade server and exposes users to risks of installing malicious firmware images.

The OpenWrt Project, an open-source initiative providing a Linux-based operating system for embedded devices, has pushed a critical patch to cover flaws that expose its firmware update server to malicious exploitation.

The vulnerability, tracked as CVE-2024-54143, affects the OpenWrt sysupgrade server and exposes users to potential risks of installing compromised firmware images.

An OpenWrt bulletin explains the problem:

“Due to the combination of command injection in the image builder and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes a hash collision.”

The maintainers documented two main issues:

  • Command Injection in Imagebuilder — User-supplied package names are incorporated into `make` commands without proper sanitization, allowing malicious users to inject arbitrary commands into the build process. This results in the production of malicious firmware images signed with the legitimate build key.
  • Truncated SHA-256 Hash Collisions — The request hashing mechanism truncates SHA-256 hashes to 12 characters,  significantly reducing entropy and enabling attackers to generate collisions. Exploiting this allows a previously built malicious image to replace  legitimate ones, compromising the artifact cache.

“Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds,” OpenWrt warned. “Attackers can compromise the build artifacts delivered via sysupgrade.openwrt.org, potentially leading to malicious firmware being installed during the attended firmware upgrade process.”

OpenWrt noted that an attacker needs the ability to submit build requests with crafted package lists. “No authentication is required to exploit these vulnerabilities. By injecting commands and causing hash collisions, attackers can serve malicious images in place of legitimate ones,” according to the advisory.

Although the possibility of compromised images is considered low, OpenWrt is advising users to perform an in-place upgrade to the same version of their firmware to eliminate any risk. Public and self-hosted ASU instances are being encouraged to apply the patches immediately to prevent future exploitation.

The project maintainers stressed that no official images from the downloads.openwrt.org were affected and said available build logs for other custom images were checked and nothing malicious was found.

Advertisement. Scroll to continue reading.

Related: OpenWrt Informs Users of Forum Breach

Related: Remote Code Execution Vulnerability Patched in OpenWrt

Related: Dozens of RCE Vulnerabilities Impact Milesight Industrial Router

Related: PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.