A critical vulnerability, identified as CVE-2024-54143, was discovered in OpenWrt’s Attended Sysupgrade (ASU) service, which allows users to create custom firmware images for routers and IoT devices. OpenWrt, an open-source Linux-based operating system, is widely used for its advanced features and customization options, especially on routers from manufacturers like ASUS, D-Link, and Belkin. The ASU service simplifies firmware updates by preserving previously installed packages and settings, eliminating the need for users to manually list packages during upgrades.
The vulnerability, discovered by security researcher RyotaK, involves two issues: command injection and hash truncation. The command injection flaw arises from insecure handling of inputs via the ‘make’ command, which processes package names. This vulnerability allows attackers to execute arbitrary commands during the firmware build process, leading to the potential distribution of malicious firmware images. Additionally, the service uses a truncated 12-character SHA-256 hash to cache build artifacts, enabling brute-force attacks to create collisions and potentially replace legitimate firmware with compromised versions.
Upon disclosing the vulnerability to the OpenWrt team, they responded quickly by taking down the affected service, patching the flaw, and restoring functionality within hours. The team found no evidence that the vulnerability had been exploited in the wild, and build logs for custom firmware images from the past seven days were checked for malicious requests. However, due to the nature of the flaw, users are urged to upgrade their firmware to newly generated images as a precautionary measure.
While the chances of exploitation are considered low, OpenWrt recommends that users replace any potentially insecure firmware images by performing an inplace upgrade. This is especially crucial for anyone running a public, self-hosted instance of the ASU service, which should be updated immediately. Given the long-standing nature of the flaw, users are advised to take action out of an abundance of caution to ensure their devices remain secure.
Reference: