A significant security vulnerability has been identified in the Attended Sysupgrade (ASU) feature of OpenWrt. If exploited, this flaw could enable the distribution of compromised firmware packages, posing a threat to users of this popular open-source Linux-based OS.
The vulnerability, assigned the identifier CVE-2024-54143, has a critical CVSS score of 9.3 out of 10. RyotaK, a researcher from Flatt Security, discovered and reported this issue on December 4, 2024. The flaw has since been addressed in ASU version 920c8a1.
According to the project maintainers, the vulnerability stems from a combination of command injection vulnerabilities in the image-building process and inadequate hash validation methods. This allows an attacker to inject arbitrary package lists that create a hash collision, thereby corrupting legitimate image builds.
OpenWrt serves a large user base, particularly in the United States, where it is widely utilized in routers and residential gateways. The open-source nature of the platform makes it a target for malicious actors seeking to exploit weaknesses for unauthorized access or control.
Successful exploitation of this vulnerability could allow a threat actor to execute arbitrary commands during the firmware building process. Consequently, this could result in the generation of malicious firmware images that appear legitimate due to being signed with valid build keys.
Moreover, a crucial aspect of this vulnerability is the existence of a 12-character SHA-256 hash collision that could be exploited to serve previously malicious images instead of legitimate ones. This situation creates a notable supply chain risk to organizations leveraging OpenWrt for their networking needs.
As noted by OpenWrt, attackers do not require authentication to exploit this vulnerability. By submitting crafted build requests containing malicious package lists, an attacker can manipulate legitimate build processes into delivering compromised firmware.
RyotaK, who provided a thorough technical analysis of the issue, indicated that it remains unclear whether this vulnerability has been exploited in operational environments. Users are strongly advised to upgrade to the latest version promptly to mitigate potential risks associated with this vulnerability.
