A security flaw has been disclosed in OpenWrt’s Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages.
The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the flaw on December 4, 2024. The issue has been patched in ASU version 920c8a1.
“Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision,” the project maintainers said in an alert.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
OpenWrt is a popular open-source Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.
Successful exploitation of the shortcoming could essentially allow a threat actor to inject arbitrary commands into the build process, thereby leading to the production of malicious firmware images signed with the legitimate build key.
Even worse, a 12-character SHA-256 hash collision associated with the build key could be weaponized to serve a previously built malicious image in the place of a legitimate one, posing a severe supply chain risk to downstream users.
“An attacker needs the ability to submit build requests containing crafted package lists,” OpenWrt noted. “No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image.”
RyotaK, who provided a technical breakdown of the bug, said it’s not known if the vulnerability was ever exploited in the wild because it has “existed for a while.” Users are recommended to update to the latest version as soon as possible to safeguard against potential threats.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
DoJ Indicts 14 North Koreans for $88M IT Worker Fraud Scheme Over Six Years