OpenWrt Vulnerability Allows Malicious Firmware Injection
2024-12-10
Got you some real good FUD, learn about the dangers of supply chain attacks through vulnerabilities in custom firmware.
A vulnerability in OpenWrt's Attended Sysupgrade feature allowed attackers to inject malicious firmware images by exploiting a command injection flaw and a hash truncation issue. OpenWrt, used for customizing network devices, had a critical flaw that was quickly patched after discovery. The flaw involved insecure handling of package names in server code and inadequate hash security, enabling attackers to deliver malicious firmware by reusing legitimate cache keys. Despite the fix, users are advised to verify their firmware integrity.
Supply Chain, Open Source, Malware, Other: Command Injection
OpenWrt, Vulnerability, Firmware Injection, Command Injection, Supply Chain Attack, Network Devices
OpenWrt, ASUS, Belkin, Buffalo, D-Link, Zyxel
A recent vulnerability in OpenWrt's Attended Sysupgrade feature exposed network devices to potential security risks by allowing attackers to distribute malicious firmware. OpenWrt, a widely-used open-source operating system for routers and other network devices, offers customization and supports various brands like ASUS, Belkin, Buffalo, D-Link, and Zyxel. The flaw in question was a critical security vulnerability involving command injection and hash truncation in the Attended Sysupgrade feature. This feature simplifies firmware updates by allowing users to create customized firmware builds that retain previously installed packages and settings. The vulnerability, identified as CVE-2024-54143, had a high severity score of 9.3 on the CVSS v4 scale, indicating its potential impact. The vulnerability was discovered during a routine home lab router upgrade and involved two main issues: Command Injection: The server code insecurely handled package names, allowing arbitrary command injection. This was due to improper usage of the 'make' command, which could be exploited by attackers to execute malicious commands. Hash Truncation: The service used a 12-character truncated SHA-256 hash to cache build artifacts. This truncation reduced the hash's security, making it feasible for attackers to brute-force collisions. By doing so, attackers could reuse cache keys from legitimate firmware builds to distribute malicious firmware. Using tools like Hashcat on powerful hardware, such as the RTX 4090 graphics card, attackers could exploit these vulnerabilities to modify firmware artifacts and deliver compromised builds to users. Upon discovery, the vulnerability was promptly reported to OpenWrt developers, who issued a fix within hours. Despite the quick patch, users are strongly advised to verify the integrity of their installed firmware to ensure it has not been tampered with. This incident underscores the importance of securing supply chain mechanisms in software development, particularly in open-source projects where custom builds are common. It highlights the need for robust input validation and secure hashing mechanisms to prevent similar vulnerabilities in the future.OpenWrt Sysupgrade Vulnerability: A Risk to Network Device Firmware
The Vulnerability
Exploitation Details
Immediate Response and Recommendations
Implications for Supply Chain Security