News: 0001510872

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts

([Operating Systems] 3 Hours Ago CVE-2024-54143)


A security issue was reported to the OpenWrt project this week around their Attendedsysupgrade Server (ASU) instances that could have led to compromised firmware images being served.

The good news is that it's believed no official images from downloads.openwrt.org were affected nor any custom images from the 21.10.0-rc2 release. OpenWrt developers were only able to verify the build logs for the past seven days due to automatic clean-up of older build logs. Users are thus encouraged to carry out in-place upgrades to the same version to eliminate any possibility of being affected.

Attendedsysupgrade Server security issue comes down to a combination of two issues with truncated SHA-256 hashes and a command injection vector within the image builder.

Friday's mailing list [1]disclosure of the issue explains:

"Due to the combination of the command injection in the `openwrt/imagebuilder` image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:

1. **Command Injection in Imagebuilder**: During image builds, user-supplied package names are incorporated into `make` commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.

2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.

Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the ASU service, affecting the integrity of the delivered builds.

...

An attacker can compromise the build artifact delivered from the sysupgrade.openwrt.org, allowing the malicious firmware image to be installed to the OpenWrt installation that uses the attended firmware upgrade, firmware-selector.openwrt.org, or CLI upgrade."

There is further information within [2]Security Advisory 2024-12-06-1 . The security fixes are to correct user input validation and using full length SHA-256 hashes.



[1] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000061.html

[2] http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000062.html



Jbk0

ahrs

"Brown Orifice" Is Only The Beginning

Last week security holes were found in Netscape's Java implementation that
allowed it to act as a web server. Earlier today, a hacker announced that
he had found vulnerabilities in Mozilla M17 that allow it to operate as a
web browser. And that's just the beginning.

Said "3l337h4x0r", the discoverer of the M17 exploit, "This is quite a
hack! By manipulating some internal functions, I was able to use M17 to
actually surf the web. Slashdot and Humorix rendered beautifully."

Mozilla engineers were stunned. "This shouldn't be possible. M17 contains
a newsreader, a mail client, an instant messenger client, and a whole
bunch of XUL acronymn-enriched stuff, but it shouldn't be able to handle
HTTP or HTML. We haven't been planning on adding web-surfing functionality
to Mozilla until M30... maybe M25 at the earliest. I suspect this whole
thing is a hoax."