Critical Security Vulnerability Found in OpenWrt: Users Urged to Update Immediately

The open-source router system OpenWrt was recently revealed by researchers to have a security vulnerability, which has been assigned the identifier CVE-2024-54143. This vulnerability has been rated at 9.3 out of 10 on the CVSS4.0 scale.

Although the vulnerability has existed for some time, it was quickly addressed by the OpenWrt project team within hours of its discovery by researchers. Users of the system are now advised to promptly check for updates.

Users utilizing third-party compiled versions should pay close attention to the developer's homepage to see when they will synchronize with the upstream updates. Once a new firmware version is available, users are encouraged to upgrade as soon as possible.

Details of the Vulnerability:

Researchers from the cybersecurity firm Flatt Security, including RyotaK, discovered the vulnerability while debugging their router and performing routine upgrades. The vulnerability involves command injection and hash truncation.

OpenWrt includes a system upgrade service named Attended Sysupgrade, which allows users to create custom firmware images based on previously installed packages and settings, facilitating firmware customization for professional users.

The Attended Sysupgrade feature enables OpenWrt devices to update to the latest firmware while preserving packages and settings, significantly simplifying the upgrade process with just a few clicks and a short wait for the build and upgrade to complete.

Researchers found that OpenWrt processes these tasks through the sysupgrade.OpenWrt.org service in a container environment, executing commands. However, the insecure use of the make command in server code led to a flaw in the input mechanism, allowing for arbitrary command injection through package names.

Another issue identified was the service's use of a 12-character cache of SHA-256 hashes, limiting the hash to only 48 bits. This made brute-force collisions feasible, enabling attackers to reuse cache keys found in legitimate firmware versions.

Attackers could modify and provide malicious versions to unsuspecting users using the Hashcat tool on an RTX 4090 graphics card, exploiting these vulnerabilities.

Vulnerability Mitigation:

Upon notification from the researchers, OpenWrt immediately shut down the upgrade server for repairs, completing the fixes and resuming the upgrade server's operation within 3 hours on December 4, 2024.

The OpenWrt team has stated it is highly unlikely that this vulnerability was exploited, and no evidence has been found to suggest that the images hosted on downloads.OpenWrt.org were affected.

However, logs only go back 7 days from December 4, so the team recommends installing a newly generated OpenWrt image to replace any potentially insecure installations.

While the likelihood of image compromise is nearly zero, users are advised to download the same version image for an in-place upgrade as a safe practice to eliminate potential impacts.

Finally, it's important to emphasize that if you are using images provided by third-party developers, stay informed about third-party developers to receive recompiled firmware as soon as possible.