Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Wi-Fi router security. Show all posts

OpenWrt Urges Users to Update Images to Avoid Potential Supply Chain Attacks

OpenWrt, the open-source Wi-Fi router project, has urged users to upgrade their images to the same version to mitigate a potential supply chain attack. The issue, discovered last week, stems from vulnerabilities in the project’s attended sysupgrade server (ASU). 

Details of the Vulnerability 

Paul Spooren, an OpenWrt developer, alerted users via email about a security flaw in the ASU service. The issue was first reported by Ry0taK, a security researcher from Flatt Security, two days prior. Spooren explained: "Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision."

Key Vulnerabilities
  • Command Injection: A flaw in Imagebuilder caused by improper sanitization of user-supplied package names allows attackers to create malicious firmware signed with legitimate keys.
  • Weak Hash Vulnerability (CWE-328): Tracked as CVE-2024-54143 with a 9.3 CVSS severity rating, the truncation of the SHA-256 hash to 12 characters enables attackers to generate hash collisions.
Spooren warned, "By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to 'poison' the artifact cache and deliver compromised images to unsuspecting users."

Impact and Mitigation 

The vulnerabilities compromise the ASU service, which helps users upgrade firmware while preserving settings and packages. However, sensitive resources like SSH keys and signing certificates remained secure, as ASU instances operate separately from Buildbot. OpenWrt assured users that:
  • Official images and custom images from version 24.10.0-rc2 onward were unaffected.
  • Build logs for older custom images were reviewed, though logs older than seven days were excluded due to cleanup policies.
To address the issue, Spooren recommended: "Although the possibility of compromised images is near 0, it is suggested to the user to make an in-place upgrade to the same version to eliminate any possibility of being affected. If you run a public, self-hosted instance of ASU, please update it immediately."

Alternatively, users can apply two specific commits listed in OpenWrt’s advisory. Coinciding with the announcement, OpenWrt unveiled its first hardware platform, OpenWrt One, developed with the Software Freedom Conservancy (SFC). The device is described as "unbrickable," featuring a switch that separates NOR and NAND flashing. This milestone supports the right-to-repair movement, emphasizing user control and sustainability.