OpenWrt Sysupgrade flaw let hackers push malicious firmware images
A flaw in OpenWrt’s Attended Sysupgrade feature used to build custom, on-demand firmware images could have allowed for the distribution of malicious firmware packages.
OpenWrt is a highly customizable, open-source, Linux-based operating system designed for embedded devices, particularly network devices like routers, access points, and other IoT hardware. The project is a popular alternative to a manufacturer’s firmware as it offers numerous advanced features and supports routers from ASUS, Belkin, Buffalo, D-Link, Zyxel, and many more.
The command injection and hash truncation flaw was discovered by Flatt Security researcher ‘RyotaK’ during a routine home lab router upgrade.
The critical (CVSS v4 score: 9.3) flaw, tracked as CVE-2024-54143, was fixed within hours of being disclosed to OpenWrt’s developers. However, users are urged to perform checks to ensure the safety of their installed firmware.
Poisoning OpenWrt images
OpenWrt includes a service called Attended Sysupgrade that allows users to create custom, on-demand firmware builds that include previously installed packages and settings.
“The Attended SysUpgrade (ASU) facility allows an OpenWrt device to update to new firmware while preserving the packages and settings. This dramatically simplifies the upgrade process: just a couple clicks and a short wait lets you retrieve and install a new image built with all your previous packages,” explains an OpenWrt support page.
“ASU eliminates the need to make a list of packages you installed manually, or fuss with opkg just to upgrade your firmware.”
RyotaK discovered that the sysupgrade.openwrt.org service processes these inputs via commands executed in a containerized environment.
A flaw in the input handling mechanism originating from the insecure usage of the ‘make’ command in the server code allows arbitrary command injection via the package names.
A second problem RyotaK discovered was that the service uses a 12-character truncated SHA-256 hash to cache build artifacts, limiting the hash to only 48 bits.
The researcher explains that this makes brute-forcing collisions feasible, allowing an attacker to create a request that reuses a cache key found in legitimate firmware builds.
By combining the two problems and using the Hashcat tool on an RTX 4090 graphics card, RyotaK demonstrated that it’s possible to modify firmware artifacts to deliver malicious builds to unsuspecting users.
Check your routers
The OpenWrt team immediately responded to RyotaK’s private report, taking down the sysupgrade.openwrt.org service, applying a fix, and getting it back up in 3 hours on December 4, 2024.
The team says it’s highly unlikely that anyone has exploited CVE-2024-54143, and they have found no evidence that this vulnerability impacted images from downloads.openwrt.org.
However, since they only have visibility for what happened in the last 7 days, it is suggested that users install a newly generated image to replace any potentially insecure images currently loaded on their devices.
“Available build logs for other custom images were checked and NO MALICIOUS REQUEST FOUND, however due to automatic cleanups no builds older than 7 days could be checked. Affected server is reset and reinizialized from scratch,” explains OpenWrt.
“Although the possibility of compromised images is near 0, it is SUGGESTED to the user to make an INPLACE UPGRADE to the same version to ELIMINATE any possibility of being affected by this. If you run a public, self-hosted instance of ASU, please update it immediately.”
This issue has existed for a while, so there are no cut-off dates, and everyone should take the recommended action out of an abundance of caution.