A security flaw was discovered OpenWrtVisited by Sysupgrade (ADU) feature that, if successfully exploited, could be used to distribute malicious software packages.
Vulnerability, tracked as CVE-2024-54143has a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK is credited with discovering and reporting the flaw on December 4, 2024. The problem was fixed in ASU version 920c8a1.
“By combining command injection into the image builder image and the truncated SHA-256 hash included in the build request hash, an attacker can taint a legitimate image by providing a list of packages that causes the hashes to collide,” project staff said in the notice.
OpenWrt is a popular open source Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.
Successful exploitation of the flaw could essentially allow a threat actor to inject arbitrary commands into the build process, thereby producing malicious firmware images signed by a legitimate build key.
Even worse, the 12-character SHA-256 hash collision associated with the build key can be used to serve a previously created malicious image instead of a legitimate one, posing a serious risk to users further down the supply chain.
“An attacker needs the ability to send build requests containing crafted package lists,” OpenWrt noted. “No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, an attacker can force legitimate build requests to receive a previously generated malicious image.”
RyotaK who provided technical breakdown of the bug, said it was not known if the vulnerability had ever been exploited in the wild because it had “been around for a while.” Users are advised to update to the latest version as soon as possible to protect themselves from potential threats.
