December 9, 2024 at 09:07AM
OpenWrt users are urged to upgrade to the same version due to a reported supply chain attack affecting the attended sysupgrade server. Vulnerabilities allow attackers to serve compromised firmware through command injection and weak hash issues. While risks are low, users should update immediately or apply specific commits to secure their systems.
### Meeting Takeaways
1. **Urgent Upgrade Recommendation**: OpenWrt users are advised to upgrade their firmware images to the same version to mitigate risks from a newly reported supply chain attack.
2. **Security Vulnerability Overview**:
– **Command Injection Bug**: Exists in the ‘openwrt/imagebuilder’ image due to inadequate sanitization of user-supplied package names. This could allow attackers to create malicious firmware images.
– **Weak Hash Vulnerability**: The SHA-256 hash used in the build request is truncated to 12 characters (CVE-2024-54143), significantly increasing the likelihood of hash collisions and potentially enabling the serving of malicious images.
3. **Impact of Vulnerabilities**: These issues could allow attackers to disrupt the integrity of firmware images delivered through the Attended Sysupgrade (ASU) service. However, no sensitive resources, such as SSH keys or signing certificates, were exposed due to ASU running on separate servers from Buildbot.
4. **Assessment of Official Images**: OpenWrt confirmed that none of the official images on their download page or any custom images from version 24.10.0-rc2 were affected. Custom images older than seven days were not reviewed due to automatic cleanup.
5. **Mitigation Steps**:
– Users are advised to perform in-place upgrades to eliminate any potential risk.
– For users running public, self-hosted ASU instances, immediate updates are essential.
– Alternatively, users can apply two specific commits, as outlined in OpenWrt’s advisory, for the same effect.
6. **Contextual Note**: This announcement followed the introduction of OpenWrt One, the project’s first hardware platform developed with the Software Freedom Conservancy, contributing to the right-to-repair movement.
7. **Next Steps for Users**: All users should prioritize upgrading their systems or applying the recommended fixes to maintain security and integrity.