Source URL: https://www.theregister.com/2024/12/09/openwrt_firmware_vulnerabilities/
Source: The Register
Title: OpenWrt orders router firmware updates after supply chain attack scare
Feedly Summary: A couple of bugs lead to a potentially bad time
OpenWrt users should upgrade their images to the same version to protect themselves from a possible supply chain attack reported to the open source Wi-Fi router project last week.…
AI Summary and Description: Yes
Summary: The text addresses a critical security vulnerability in the OpenWrt project, specifically related to its attended sysupgrade server (ASU). This security issue involves command injection and weak hash vulnerabilities, posing a risk of supply chain attacks through compromised firmware images. Professionals in the fields of software security, infrastructure security, and those involved in open-source projects would find this information relevant for protecting their systems and understanding potential threats.
Detailed Description:
The text highlights serious security vulnerabilities discovered in the OpenWrt project, a widely-used open-source firmware for routers. Key points include:
– **Vulnerability Overview**:
– OpenWrt developers encouraged users to upgrade their images following a reported supply chain attack issue.
– A researcher at Flatt Security identified flaws involving command injection and the use of a weak hash in the ASU service.
– **Specific Vulnerabilities**:
– **Command Injection**:
– The Imagebuilder process inadequately sanitizes user-provided package names.
– This flaw allows attackers to generate malicious firmware images, potentially leading to firmware supply chain attacks.
– **Weak Hash (CWE-328)**:
– The SHA-256 hash used is truncated to just 12 characters, vastly reducing its complexity.
– This vulnerability is classified as CVE-2024-54143, which is rated 9.3 on the CVSS severity scale.
– **Implications of the Vulnerabilities**:
– Attackers could serve malicious images instead of legitimate ones by exploiting these flaws, thereby ‘poisoning’ the artifact cache.
– The ASU service, crucial for users to upgrade firmware while retaining settings, could deliver compromised images, impacting firmware integrity.
– **Recommendations**:
– OpenWrt advised users to perform in-place upgrades or apply specific fixes outlined in their advisory.
– Although the risk of compromised images is reported to be low, users are urged to take precautionary measures.
– **Additional Context**:
– The announcement of these vulnerabilities coincides with OpenWrt’s introduction of OpenWrt One, a secure hardware platform developed alongside the Software Freedom Conservancy, emphasizing the importance of security in new hardware initiatives.
This situation emphasizes the ongoing need for vigilance in software and firmware security, particularly within open-source projects, where community collaboration can both enhance and challenge system integrity. Security professionals must consider the implications of such vulnerabilities in their risk assessments and operational practices.