A critical security vulnerability in OpenWRT’s Attended SysUpgrade (ASU) system has been identified, potentially enabling malicious actors to distribute compromised firmware to users. The vulnerability, tracked as CVE-2024-54143, has received a critical CVSS score of 9.3, highlighting the significant security implications for OpenWRT users worldwide.
Understanding the Security Vulnerabilities
The security flaws, discovered by a researcher from Flatt Security, affect the sysupgrade.openwrt.org service, which is responsible for generating custom firmware images while preserving installed packages and configurations. The investigation revealed two distinct vulnerabilities that could be exploited in tandem to compromise the firmware distribution system.
Command Injection Vulnerability
The first critical flaw stems from unsafe handling of the ‘make’ command within the containerized environment. This vulnerability allows attackers to inject arbitrary commands through package name manipulation, potentially leading to unauthorized code execution and system compromise.
Hash Collision Exploitation
The second vulnerability exploits a fundamental weakness in the build caching mechanism. The system implements a truncated 12-character SHA-256 hash, effectively reducing entropy to 48 bits. Using an NVIDIA RTX 4090 GPU, researchers demonstrated the ability to generate hash collisions, enabling the substitution of legitimate firmware builds with malicious versions.
Security Impact and Mitigation Measures
The OpenWRT development team responded swiftly to the security threat, implementing immediate countermeasures. The vulnerable service was temporarily suspended, security patches were applied, and system functionality was restored within three hours of notification. While no evidence suggests active exploitation in the wild, the automatic seven-day server cleanup policy makes comprehensive audit trails impossible to verify.
Users of OpenWRT systems should take immediate action to protect their devices. This includes updating to the latest firmware version, verifying the integrity of recent updates, and exercising caution when using self-hosted ASU instances. Network administrators managing OpenWRT devices should conduct security audits and implement additional verification measures for firmware updates. This incident serves as a crucial reminder of the importance of maintaining robust security practices in network infrastructure management and the critical nature of prompt security updates.
