A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.
A free, Linux-based embedded platform, OpenWrt has been specifically tailored for network routers and is used on millions of devices worldwide. Opkg is a package management system forked from ipkg, and is intended for use on embedded devices.
Tracked as CVE-2020-7982, the addressed issue resides in the package list parse logic of opkg, which did not perform the necessary checks on downloaded .ipk artifacts.
“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt notes in an advisory.
To exploit the security flaw, however, a malicious actor needs to perform a man-in-the-middle (MiTM) attack on the unencrypted HTTP connection between the targeted device and downloads.openwrt.org, the default website opkg downloads packages from.
The attacker must provide a valid and signed package index to the target. Additionally, they would need to deliver at least one forged .ipk package that features the same size as specified in the repository index, and also invoke an ‘opkg install’ command on the victim system.
“To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. When I ran opkg to install a package, it retrieved the file as I had intended, and then threw a segmentation fault,” ForAllSecure security researcher Guido Vranken, who discovered the bug, explains.
Opkg, the researcher says, would attempt to unpack and install any package it downloads, as OpenWrt’s SHA256 verification did not work as intended — otherwise, the package would be discarded and not processed.
Vranken, who provides a comprehensive technical run-down of the vulnerability, explains that the flaw could also be exploited by an attacker able to control the DNS server used by the device to make downloads.openwrt.org point to a malicious web server.
The vulnerability was addressed in OpenWrt versions 18.06.7 and 19.07.1, both released on February 1, 2020. The fixed opkg package carries version 2020-01-25, OpenWrt says. Users are advised to upgrade to the patched versions as soon as possible.
Related: Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks
Related: VPN Connection Hijacking Vulnerability Affects Linux, Unix Systems
Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities
