A safety flaw has been disclosed in OpenWrt‘s Attended Sysupgrade (ASU) function that, if efficiently exploited, may have been abused to distribute malicious firmware packages.
The vulnerability, tracked as CVE-2024-54143, carries a CVSS rating of 9.3 out of a most of 10, indicating important severity. Flatt Safety researcher RyotaK has been credited with discovering and reporting the flaw on December 4, 2024. The problem has been patched in ASU model 920c8a1.
“Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision,” the undertaking maintainers stated in an alert.
OpenWrt is a well-liked open-source Linux-based working system for routers, residential gateways, and different embedded gadgets that route community site visitors.
Profitable exploitation of the shortcoming may primarily permit a risk actor to inject arbitrary instructions into the construct course of, thereby resulting in the manufacturing of malicious firmware photographs signed with the reliable construct key.
Even worse, a 12-character SHA-256 hash collision related to the construct key may very well be weaponized to serve a beforehand constructed malicious picture within the place of a reliable one, posing a extreme provide chain danger to downstream customers.
“An attacker needs the ability to submit build requests containing crafted package lists,” OpenWrt famous. “No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image.”
RyotaK, who offered a technical breakdown of the bug, stated it isn’t identified if the vulnerability was ever exploited within the wild as a result of it has “existed for a while.” Customers are really helpful to replace to the most recent model as quickly as potential to safeguard in opposition to potential threats.
