A severe security vulnerability (CVE-2024-54143) has been identified in OpenWrt’s Attended Sysupgrade (ASU) feature, potentially enabling attackers to distribute malicious firmware packages. The critical flaw, scoring 9.3 out of 10 on the CVSS scale, was discovered by security researcher RyotaK from Flatt Security.
The vulnerability affects OpenWrt, a widely-used open-source Linux operating system designed for routers and embedded network devices. The flaw combines two security issues: a command injection vulnerability in the imagebuilder and a truncated SHA-256 hash weakness in build requests.
Key Impact:
– Attackers could inject malicious commands into the firmware build process
– Malicious firmware could be signed with legitimate build keys
– 12-character SHA-256 hash collision could enable substitution of legitimate firmware with malicious versions
– No authentication required to exploit the vulnerability
The security team has patched the vulnerability in ASU version 920c8a1. While the duration of the vulnerability’s existence remains unclear, there are no confirmed cases of exploitation in the wild. Users are strongly advised to update their systems to the latest version immediately to mitigate potential security risks.