Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Remote Code Execution Vulnerability Patched in OpenWrt

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.

A free, Linux-based embedded platform, OpenWrt has been specifically tailored for network routers and is used on millions of devices worldwide. Opkg is a package management system forked from ipkg, and is intended for use on embedded devices.

Tracked as CVE-2020-7982, the addressed issue resides in the package list parse logic of opkg, which did not perform the necessary checks on downloaded .ipk artifacts.

“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt notes in an advisory.

To exploit the security flaw, however, a malicious actor needs to perform a man-in-the-middle (MiTM) attack on the unencrypted HTTP connection between the targeted device and, the default website opkg downloads packages from.

The attacker must provide a valid and signed package index to the target. Additionally, they would need to deliver at least one forged .ipk package that features the same size as specified in the repository index, and also invoke an ‘opkg install’ command on the victim system.

“To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. When I ran opkg to install a package, it retrieved the file as I had intended, and then threw a segmentation fault,” ForAllSecure security researcher Guido Vranken, who discovered the bug, explains.

Opkg, the researcher says, would attempt to unpack and install any package it downloads, as OpenWrt’s SHA256 verification did not work as intended — otherwise, the package would be discarded and not processed.

Vranken, who provides a comprehensive technical run-down of the vulnerability, explains that the flaw could also be exploited by an attacker able to control the DNS server used by the device to make point to a malicious web server.

The vulnerability was addressed in OpenWrt versions 18.06.7 and 19.07.1, both released on February 1, 2020. The fixed opkg package carries version 2020-01-25, OpenWrt says. Users are advised to upgrade to the patched versions as soon as possible.

Related: Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks

Related: VPN Connection Hijacking Vulnerability Affects Linux, Unix Systems

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet