News: 1733753052

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

OpenWrt orders router firmware updates after supply chain attack scare

(2024/12/09)


OpenWrt users should upgrade their images to the same version to protect themselves from a possible supply chain attack reported to the open source Wi-Fi router project last week.

Paul Spooren, developer at OpenWrt, emailed users on Friday regarding a security issue in the project's attended sysupgrade server (ASU) reported two days earlier by Ry0taK, a researcher at Japanese security firm Flatt Security.

Spooren wrote: "Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision."

[1]

The first part, the command injection bug in Imagebuilder, exists due to the process not properly sanitizing user-supplied package names, which allows potential attackers to produce malicious firmware images that are signed with a legitimate build key.

[2]

[3]

The second part is a use of weak hash (CWE-328) vulnerability, which is tracked as CVE-2024-54143 and carries a provisional 9.3 CVSS [4]severity rating .

Spooren said the SHA-256 hash is truncated to 12 characters, significantly reducing its complexity, potentially allowing attackers to generate collisions.

[5]

"By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to 'poison' the artifact cache and deliver compromised images to unsuspecting users," he said.

"Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the ASU service, affecting the integrity of the delivered builds."

[6]Open source router firmware project OpenWrt ships its own entirely repairable hardware

[7]QNAP and Veritas dump 30-plus vulns over the weekend

[8]D-Link tells users to trash old VPN routers over bug too dangerous to identify

[9]700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking

The ASU is a facility that allows users to more easily upgrade their firmware, leaving their packages and settings untouched.

The combined issues affected all ASU instances but because they run on dedicated servers separate from Buildbot, no sensitive resources such as SSH keys or signing certificates were accessible.

OpenWrt said none of the official images hosted on its download page, nor any custom images from 24.10.0-rc2, were affected. It reviewed the build logs of other custom images and found no foul play; however, builds older than seven days were not checked due to automatic cleanup procedures.

[10]

Spooren said: "Although the possibility of compromised images is near 0, it is suggested to the user to make an in-place upgrade to the same version to eliminate any possibility of being affected by this. If you run a public, self-hosted instance of ASU, please update it immediately."

Alternatively, applying two specific commits, detailed in [11]OpenWrt's advisory , will achieve the same result.

The announcement came just a few days after the project announced [12]OpenWrt One – its first hardware platform jointly developed with the Software Freedom Conservancy (SFC).

It's being billed as a huge win for the right-to-repair movement and the SFC said the device is "unbrickable" due to a switch allowing it to flash NOR and NAND separately. ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1ciNkx1tDYrMVKhYc7fzgAAAQk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1ciNkx1tDYrMVKhYc7fzgAAAQk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1ciNkx1tDYrMVKhYc7fzgAAAQk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1ciNkx1tDYrMVKhYc7fzgAAAQk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/12/02/openwrt_one_foss_wifi_router/

[7] https://www.theregister.com/2024/11/26/qnap_veritas_vulnerabilities/

[8] https://www.theregister.com/2024/11/20/dlink_rip_replace_router/

[9] https://www.theregister.com/2024/10/02/draytek_routers_bugs/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1ciNkx1tDYrMVKhYc7fzgAAAQk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000061.html

[12] https://www.theregister.com/2024/12/02/openwrt_one_foss_wifi_router/

[13] https://whitepapers.theregister.com/



"SHA-256 hash is truncated to 12 characters"

Dan 55

What? How? Perhaps nobody widened the field since the days when they were using CRC?

Re: "SHA-256 hash is truncated to 12 characters"

Anonymous Coward

Good old days. Reminds me of the CRC32 collision. Guy who made it was from China, I think.

Odd behavior

Yet Another Anonymous coward

Aren't they supposed to deny everything, then sue anyone who talks about it and then tell you to throw out the hardware and buy new ones ?

Re: Odd behavior

DoContra

Not when you're the vendor/project everybody goes to once the OEM did that to you ;)

Anonymous Coward

What with Google's quantum chip announcement and the possible issues it creates for encryption, the increasing number of supply chain attacks weakening security etc. I think I'm going to live on a beach and start hoarding cowrie shells, seems way more future proof.

Leona, I want to CONFESS things to you ... I want to WRAP you in a SCARLET
ROBE trimmed with POLYVINYL CHLORIDE ... I want to EMPTY your ASHTRAYS ...