A critical security flaw has been discovered in OpenWrt’s Attended Sysupgrade feature, potentially allowing attackers to distribute malicious firmware packages. The vulnerability, identified as CVE-2024-54143 with a CVSS v4 score of 9.3, was found by security researcher RyotaK during a routine router upgrade.
The Issue:
– Command injection vulnerability in the sysupgrade.openwrt.org service
– Insecure usage of the ‘make’ command in server code
– SHA-256 hash truncation to 12 characters (48 bits) in build artifacts
– Possibility of brute-force attacks using modern GPUs
Impact:
OpenWrt, a popular open-source Linux-based operating system for network devices and IoT hardware, is widely used as an alternative firmware for routers from major manufacturers including ASUS, Belkin, Buffalo, D-Link, and Zyxel.
Resolution:
– OpenWrt team responded within 3 hours on December 4, 2024
– Sysupgrade.openwrt.org service was temporarily taken down
– Security patch implemented
– No evidence of exploitation found in downloads.openwrt.org
Recommended Actions:
1. Users should perform in-place upgrades to eliminate potential security risks
2. Install newly generated firmware images
3. Self-hosted ASU instances should be updated immediately
While the OpenWrt team believes exploitation is unlikely, limited visibility into historical data (only 7 days) means users should take precautionary measures to ensure their devices’ security.