442/67 Monday, December 16, 2024
OpenWrt, a popular open-source operating system for routers and network devices, has been revealed to contain a critical security vulnerability in its Attended Sysupgrade (ASU) feature. This vulnerability, identified as CVE-2024-54143, has received a CVSS severity score of 9.3 out of 10, indicating a high level of risk.
The vulnerability was discovered and reported by researcher RyotaK from Flatt Security on December 4, 2024. It could potentially be exploited to distribute malicious firmware by altering commands in the build process and causing SHA-256 hash collisions in image generation requests. This could result in unsafe firmware being signed with valid build keys and replacing legitimate firmware. OpenWrt administrators noted that attackers could send customized image build requests without authentication, creating counterfeit firmware and tricking the system into accepting malicious files. This poses a severe threat to the supply chain and could impact end-user devices. The issue has been addressed in version 920c8a1 of ASU, and OpenWrt strongly recommends users update their software to the latest version immediately to mitigate the risk.
Although there is no clear evidence that this vulnerability has been actively exploited, the disclosure that “this vulnerability has existed for a long time” underscores the importance of keeping systems up to date to minimize potential threats. CVE-2024-54143 highlights the critical need for robust security measures in network systems and supply chains. OpenWrt administrators and users are urged to prioritize software updates and rigorously verify firmware download processes to reduce the likelihood of future attacks by malicious actors.
Source https://thehackernews.com/2024/12/critical-openwrt-vulnerability-exposes.html
