CVE-2024-54143: Critical Vulnerability in OpenWrt’s Attended SysUpgrade Server Allows for Firmware Poisoning
OpenWrt, a popular open-source operating system for embedded devices, has disclosed a critical vulnerability (CVE-2024-54143) that could allow attackers to compromise the integrity of firmware updates delivered through its Attended SysUpgrade server. The vulnerability, with a CVSSv4 score of 9.3, stems from a combination of command injection and truncated SHA-256 hash collisions.
“Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision,” explains the OpenWrt security advisory.
Two Vulnerabilities, One Critical Flaw
The vulnerability comprises two key components:
-
Command Injection in Imagebuilder: During image builds, user-supplied package names are incorporated into make commands without proper sanitization. This allows attackers to inject arbitrary commands into the build process, potentially resulting in malicious firmware images signed with the legitimate build key.
-
Truncated SHA-256 Hash Collisions: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for attackers to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, effectively “poisoning” the artifact cache.
Impact and Mitigation
Combined, these vulnerabilities enable an attacker to serve compromised firmware images through the attended.sysupgrade service, affecting the integrity of delivered builds. This could allow an attacker to install malicious firmware on OpenWrt devices that use the attended firmware upgrade, including those relying on firmware-selector.openwrt.org or the attended.sysupgrade CLI upgrade.
OpenWrt has addressed this vulnerability with the following fixes:
- util: security: critical: use full hash length: This commit utilizes the full SHA-256 hash length, preventing hash collisions.
- build_request: security: critical: fix user input validation: This commit ensures proper sanitization of user-supplied package names, preventing command injection.
Affected Versions
All versions of the attended.sysupgrade server that rely on truncated hashes and do not sanitize package input in the imagebuilder step are affected. This specifically includes versions between the “rewrite to fastapi” and “chore: cleanups and OpenWrt One as default” releases.
This vulnerability was discovered and responsibly disclosed by RyotaK, a security researcher at Flatt Security Inc. Technical details and proof of concept were shared in a comprehensive blog post, further highlighting the risks associated with this issue.
Recommendations
OpenWrt users are strongly urged to update their systems to the latest version to mitigate this critical vulnerability. Additionally, users should exercise caution when using the Attended SysUpgrade service and ensure they are obtaining firmware updates from a trusted source.
