December 9, 2024 at 01:29PM
The OpenWrt Project has released a critical patch addressing a vulnerability (CVE-2024-54143) that could allow attackers to inject malicious firmware through its sysupgrade server. Issues include command injection in the image builder and truncated SHA-256 hash collisions, compromising firmware integrity. Users are urged to upgrade to mitigate risks.
### Meeting Takeaways on OpenWrt Project Vulnerabilities:
1. **Critical Patch Released**: The OpenWrt Project has issued a critical patch to address vulnerabilities exposing the firmware update server to potential exploitation.
2. **Vulnerability Identification**:
– **CVE-2024-54143**: This vulnerability impacts the OpenWrt sysupgrade server, posing risks of installing compromised firmware images.
3. **Vulnerability Details**:
– **Command Injection in Imagebuilder**: Malicious users can inject commands into `make` commands due to improper sanitization of user-supplied package names, leading to the creation of maliciously signed firmware images.
– **Truncated SHA-256 Hashes**: The hashing mechanism truncates hashes to 12 characters, resulting in reduced entropy and potential hash collisions that could allow attackers to replace legitimate images with malicious ones.
4. **Exploitation Potential**:
– Attackers can serve compromised firmware images via the Attended SysUpgrade service without any required authentication.
– Users are at risk if they submit crafted package lists to build requests.
5. **Risk Mitigation Recommendations**:
– Users are advised to perform in-place upgrades to the same version of firmware to mitigate risks.
– Public and self-hosted ASU instances should apply patches immediately.
6. **Integrity Assurance**: OpenWrt has confirmed that no official images on downloads.openwrt.org were affected and has verified that there are no malicious findings in available build logs for custom images.
7. **Contextual Note**: Users should remain vigilant as the possibility of compromised images is considered low, but preventative measures are encouraged due to the nature of the vulnerabilities.
These takeaways emphasize the importance of addressing the identified vulnerabilities promptly to safeguard users and maintain the integrity of the firmware update process.