December 13, 2024 at 12:57PM
A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended Sysupgrade could allow attackers to inject malicious firmware by exploiting command injection and hash collision issues. Patched in version 920c8a1, the flaw poses a severe supply chain risk as no authentication is required for exploitation. Users are urged to update immediately.
### Meeting Takeaways – December 13, 2024
1. **Vulnerability Disclosure**: A critical security flaw in OpenWrt’s Attended Sysupgrade (ASU) feature has been reported, tracked as CVE-2024-54143, with a CVSS score of 9.3.
2. **Discovery**: The vulnerability was discovered by researcher RyotaK and reported on December 4, 2024.
3. **Risk Details**:
– The flaw allows attackers to inject commands into the firmware build process, potentially producing malicious firmware signed with a legitimate build key.
– A hash collision related to a 12-character SHA-256 hash can be exploited to substitute malicious images for legitimate ones, heightening supply chain risks for users.
4. **Exploitation Conditions**:
– No authentication is required to exploit this vulnerability.
– An attacker can exploit it by submitting crafted package lists in build requests.
5. **Patch Availability**: The security issue has been addressed in ASU version 920c8a1. Users are urgently advised to update to this version.
6. **Current Threat Status**: It remains unclear if the vulnerability has been exploited in live environments as it has existed for an extended period.
### Action Items
– Users and organizations employing OpenWrt should prioritize updating to ASU version 920c8a1 to mitigate risks.