December 13, 2024 at 12:57PM A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended Sysupgrade could allow attackers to inject malicious firmware by exploiting command injection and hash collision issues. Patched in version 920c8a1, the flaw poses a severe supply chain risk as no authentication is required for exploitation. Users are urged to update immediately. ### Meeting … Read more
December 9, 2024 at 05:33PM A vulnerability in OpenWrt’s Attended Sysupgrade feature for creating custom firmware images may have enabled the distribution of malicious firmware packages, posing a security threat to users. **Meeting Notes Takeaways:** 1. **Issue Identified**: A flaw exists in OpenWrt’s Attended Sysupgrade feature. 2. **Impact**: The flaw could potentially enable the distribution … Read more
December 9, 2024 at 01:29PM The OpenWrt Project has released a critical patch addressing a vulnerability (CVE-2024-54143) that could allow attackers to inject malicious firmware through its sysupgrade server. Issues include command injection in the image builder and truncated SHA-256 hash collisions, compromising firmware integrity. Users are urged to upgrade to mitigate risks. ### Meeting … Read more
December 9, 2024 at 09:07AM OpenWrt users are urged to upgrade to the same version due to a reported supply chain attack affecting the attended sysupgrade server. Vulnerabilities allow attackers to serve compromised firmware through command injection and weak hash issues. While risks are low, users should update immediately or apply specific commits to secure … Read more