A security flaw has been disclosed in OpenWrt‘s Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages.
The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the flaw on December 4, 2024. The issue has been patched in ASU version 920c8a1.
“Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision,” the project maintainers said in an alert.
OpenWrt is a popular open-source Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.
Successful exploitation of the shortcoming could essentially allow a threat actor to inject arbitrary commands into the build process, thereby leading to the production of malicious firmware images signed with the legitimate build key.
Even worse, a 12-character SHA-256 hash collision associated with the build key could be weaponized to serve a previously built malicious image in the place of a legitimate one, posing a severe supply chain risk to downstream users.
“An attacker needs the ability to submit build requests containing crafted package lists,” OpenWrt noted. “No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image.”
RyotaK, who provided a technical breakdown of the bug, said it’s not known if the vulnerability was ever exploited in the wild because it has “existed for a while.” Users are recommended to update to the latest version as soon as possible to safeguard against potential threats.