OpenWrt orders router firmware updates after supply chain attack scare

OpenWrt users should upgrade their images to the same version to protect themselves from a possible supply chain attack reported to the open source Wi-Fi router project last week.

Paul Spooren, developer at OpenWrt, emailed users on Friday regarding a security issue in the project's attended sysupgrade server (ASU) reported two days earlier by Ry0taK, a researcher at Japanese security firm Flatt Security.

Spooren wrote: "Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision."

The first part, the command injection bug in Imagebuilder, exists due to the process not properly sanitizing user-supplied package names, which allows potential attackers to produce malicious firmware images that are signed with a legitimate build key.

The second part is a use of weak hash (CWE-328) vulnerability, which is tracked as CVE-2024-54143 and carries a provisional 9.3 CVSS severity rating.

Spooren said the SHA-256 hash is truncated to 12 characters, significantly reducing its complexity, potentially allowing attackers to generate collisions.

"By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to 'poison' the artifact cache and deliver compromised images to unsuspecting users," he said. 

"Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the ASU service, affecting the integrity of the delivered builds."

• Open source router firmware project OpenWrt ships its own entirely repairable hardware
• QNAP and Veritas dump 30-plus vulns over the weekend
• D-Link tells users to trash old VPN routers over bug too dangerous to identify
• 700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking

The ASU is a facility that allows users to more easily upgrade their firmware, leaving their packages and settings untouched.

The combined issues affected all ASU instances but because they run on dedicated servers separate from Buildbot, no sensitive resources such as SSH keys or signing certificates were accessible.

OpenWrt said none of the official images hosted on its download page, nor any custom images from 24.10.0-rc2, were affected. It reviewed the build logs of other custom images and found no foul play; however, builds older than seven days were not checked due to automatic cleanup procedures.

Spooren said: "Although the possibility of compromised images is near 0, it is suggested to the user to make an in-place upgrade to the same version to eliminate any possibility of being affected by this. If you run a public, self-hosted instance of ASU, please update it immediately."

Alternatively, applying two specific commits, detailed in OpenWrt's advisory, will achieve the same result.

The announcement came just a few days after the project announced OpenWrt One – its first hardware platform jointly developed with the Software Freedom Conservancy (SFC).

It's being billed as a huge win for the right-to-repair movement and the SFC said the device is "unbrickable" due to a switch allowing it to flash NOR and NAND separately. ®