A serious vulnerability reportedly existed in OpenWrt – a Linux-based operating system. This critical vulnerability allows for remote code execution on a target OpenWrt device.
OpenWrt RCE Vulnerability
Security researcher Guido Vranken has disclosed a serious security flaw affecting OpenWrt-based devices. Upon an exploit, the vulnerability could allow an attacker to take complete control of the target OpenWrt-based device.
The bug specifically affected the OPKG utility of the OpenWrt system. Under normal conditions, OPKG retrieves digitally signed package lists before installation. However, due to a bug in
checksum_hex2bin, OPKG could not recognize malicious packages and would proceed installation. Thus, an attacker could simply conduct a MiTM attack to serve maliciously crafted signed packages from the webserver.
The attacker must either be in a position to intercept and replace communication between the device and downloads.openwrt.org, or control the DNS server used by the device to make downloads.openwrt.org point to a web server controlled by the attacker.”
Further technical details are available in the researcher’s blog post.
Patch Released – Update Now
Acknowledging the existence of the vulnerability CVE-2020-7982, OpenWrt has shared an advisory. Describing the flaw, the advisory reads,
A bug in the package list parse logic of OpenWrt’s opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts.
Since OPKG executes with root privileges on OpenWrt, arbitrary code execution became possible simply by injecting forged .ipk packages with malicious payloads.
The bug affected OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. Whereas, the patches are available with OpenWrt 18.06.7, OpenWrt 19.07.1. Users of the respective devices must ensure updating their systems to the patched versions.
Besides, OpenWrt has also shared other ways to mitigate the vulnerability in the advisory.
Let us know your thoughts in the comments.