OpenWrt urges users to upgrade after security flaws found

OpenWrt urges users to upgrade after security flaws found is profiled by BTW Media because published evidence links it to internet infrastructure, governance, operational dependencies, or market visibility.

• OpenWrt urges users to upgrade firmware after security flaws in ASU server.
• Two vulnerabilities could allow attackers to serve compromised firmware images.

What happened: OpenWrt security flaws

OpenWrt users are advised to upgrade their firmware images to the same version after a security issue was reported last week. The vulnerability, discovered in the project’s attended sysupgrade server (ASU), could potentially allow attackers to inject malicious firmware through a combination of two flaws.

The first flaw, a command injection bug in the ‘openwrt/imagebuilder’ image, allows attackers to inject malicious package names, creating fake firmware images signed with a legitimate build key. The second flaw, a weak hash vulnerability (CVE-2024-54143), occurs because the SHA-256 hash used in the build request is truncated, reducing its complexity and enabling hash collisions. These vulnerabilities could allow attackers to deliver compromised firmware to unsuspecting users. Although the risk of compromised images is low, OpenWrt recommends users upgrade to the same version to mitigate any potential threats. Users hosting public ASU instances are urged to apply the fixes immediately.

OpenWrt assured users that official images and custom builds from 24.10.0-rc2 remain unaffected. However, older builds not checked due to automatic cleanup procedures may still pose a risk. OpenWrt issued the advisory shortly after announcing OpenWrt One. The Software Freedom Conservancy developed this new hardware platform.

Also read: 9 common types of firmware
Also read: GitHub Vulnerability Exposes 4,000+ to RepoJacking Attack

Why it is important

The security flaw in OpenWrt’s sysupgrade server (ASU) makes it crucial for users to upgrade their firmware to the same version. The vulnerability could allow attackers to inject malicious firmware using two issues: a command injection bug and a weak hash vulnerability. The command injection allows malicious package names to create fake firmware images. The weak hash makes it easier for attackers to generate collisions and serve compromised images.

Although the risk of a successful attack is low, OpenWrt recommends upgrading to eliminate any potential threats. Users with public ASU instances should update immediately. Official images and recent custom builds remain unaffected, but older builds could still be at risk. This issue highlights the need for timely updates and vigilance in maintaining the integrity of the system. The advisory comes just after the announcement of OpenWrt One, underscoring the importance of securing both software and hardware platforms.