Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Remote Code Execution Vulnerability Patched in OpenWrt

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.

A free, Linux-based embedded platform, OpenWrt has been specifically tailored for network routers and is used on millions of devices worldwide. Opkg is a package management system forked from ipkg, and is intended for use on embedded devices.

Tracked as CVE-2020-7982, the addressed issue resides in the package list parse logic of opkg, which did not perform the necessary checks on downloaded .ipk artifacts.

“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt notes in an advisory.

To exploit the security flaw, however, a malicious actor needs to perform a man-in-the-middle (MiTM) attack on the unencrypted HTTP connection between the targeted device and downloads.openwrt.org, the default website opkg downloads packages from.

The attacker must provide a valid and signed package index to the target. Additionally, they would need to deliver at least one forged .ipk package that features the same size as specified in the repository index, and also invoke an ‘opkg install’ command on the victim system.

“To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. When I ran opkg to install a package, it retrieved the file as I had intended, and then threw a segmentation fault,” ForAllSecure security researcher Guido Vranken, who discovered the bug, explains.

Opkg, the researcher says, would attempt to unpack and install any package it downloads, as OpenWrt’s SHA256 verification did not work as intended — otherwise, the package would be discarded and not processed.

Advertisement. Scroll to continue reading.

Vranken, who provides a comprehensive technical run-down of the vulnerability, explains that the flaw could also be exploited by an attacker able to control the DNS server used by the device to make downloads.openwrt.org point to a malicious web server.

The vulnerability was addressed in OpenWrt versions 18.06.7 and 19.07.1, both released on February 1, 2020. The fixed opkg package carries version 2020-01-25, OpenWrt says. Users are advised to upgrade to the patched versions as soon as possible.

Related: Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks

Related: VPN Connection Hijacking Vulnerability Affects Linux, Unix Systems

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.