Critical Vulnerability in OpenWrt Attended SysUpgrade

OpenWrt has released security updates addressing a critical vulnerability (CVE-2024-54143) affecting their Attended SysUpgrade (ASU) server. The ASU allows an OpenWrt device to update to new firmware while preserving the packages and settings.

CVE-2024-54143 consists of:

• A command injection vulnerability in Imagebuilder which could allow an attacker to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.

• A truncated SHA-256 hash collision vulnerability which could allow an attacker to serve a previously built malicious image in place of a legitimate one, thus allowing the attacker to poison the artifact cache and deliver compromised images to unsuspecting users.

Successful exploitation of the vulnerability may allow the attack to compromise the build artifact delivered from sysupgrade.openwrt[.]org, allowing the malicious firmware image to be installed to the OpenWrt installation that uses the attended firmware upgrade, firmware-selector.openwrt[.]org, or attended[.]sysupgrade CLI upgrade.

The vulnerability affects all versions of the Attended SysUpgrade server that rely on truncated hashes and do not sanitise package input in the imagebuilder step.

Users and administrators of affected product versions are advised to update to the latest version immediately.

More information is available here: 

https://openwrt.org/advisory/2024-12-06

https://nvd.nist.gov/vuln/detail/CVE-2024-54143

https://securityexpress.info/cve-2024-54143-openwrt-sysupgrade-vulnerability-explained/