OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
([Operating Systems] 3 Hours Ago
CVE-2024-54143)
- Reference: 0001510872
- News link: https://www.phoronix.com/news/OpenWrt-Compromised-ASU-Builds
- Source link:
A security issue was reported to the OpenWrt project this week around their Attendedsysupgrade Server (ASU) instances that could have led to compromised firmware images being served.
The good news is that it's believed no official images from downloads.openwrt.org were affected nor any custom images from the 21.10.0-rc2 release. OpenWrt developers were only able to verify the build logs for the past seven days due to automatic clean-up of older build logs. Users are thus encouraged to carry out in-place upgrades to the same version to eliminate any possibility of being affected.
Attendedsysupgrade Server security issue comes down to a combination of two issues with truncated SHA-256 hashes and a command injection vector within the image builder.
Friday's mailing list [1]disclosure of the issue explains:
"Due to the combination of the command injection in the `openwrt/imagebuilder` image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:
1. **Command Injection in Imagebuilder**: During image builds, user-supplied package names are incorporated into `make` commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.
2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.
Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the ASU service, affecting the integrity of the delivered builds.
...
An attacker can compromise the build artifact delivered from the sysupgrade.openwrt.org, allowing the malicious firmware image to be installed to the OpenWrt installation that uses the attended firmware upgrade, firmware-selector.openwrt.org, or CLI upgrade."
There is further information within [2]Security Advisory 2024-12-06-1 . The security fixes are to correct user input validation and using full length SHA-256 hashes.
[1] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000061.html
[2] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000062.html
The good news is that it's believed no official images from downloads.openwrt.org were affected nor any custom images from the 21.10.0-rc2 release. OpenWrt developers were only able to verify the build logs for the past seven days due to automatic clean-up of older build logs. Users are thus encouraged to carry out in-place upgrades to the same version to eliminate any possibility of being affected.
Attendedsysupgrade Server security issue comes down to a combination of two issues with truncated SHA-256 hashes and a command injection vector within the image builder.
Friday's mailing list [1]disclosure of the issue explains:
"Due to the combination of the command injection in the `openwrt/imagebuilder` image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:
1. **Command Injection in Imagebuilder**: During image builds, user-supplied package names are incorporated into `make` commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.
2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.
Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the ASU service, affecting the integrity of the delivered builds.
...
An attacker can compromise the build artifact delivered from the sysupgrade.openwrt.org, allowing the malicious firmware image to be installed to the OpenWrt installation that uses the attended firmware upgrade, firmware-selector.openwrt.org, or CLI upgrade."
There is further information within [2]Security Advisory 2024-12-06-1 . The security fixes are to correct user input validation and using full length SHA-256 hashes.
[1] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000061.html
[2] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000062.html
Jbk0