Source: www.govinfosecurity.com – Author:
Endpoint Security , Internet of Things Security
Flaw in Embedded Device Operating System Allowed Hackers to Bypass Integrity Check Anviksha More (AnvikshaMore) • December 10, 2024
A critical flaw in the updating service of a popular Linux operating system for embedded devices could enable hackers to compromise firmware with malicious images.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Security researcher “RyotaK” from Flatt Security discovered a vulnerability in OpenWrt’s update service during a routine home lab router upgrade.
OpenWrt is an open-source operating system tailored for embedded devices, especially network devices such as routers, access points and other IoT hardware. It is a popular choice for manufacturer-provided firmware owing to its advanced features and broad support for routers from brands such as ASUS, Belkin, Buffalo, D-Link and Zyxel, among others.
OpenWrt developers patched the vulnerability, with a CVSS core of 9.3 and tracked as CVE-2024-54143 after RyotaK privately disclosed the flaw.
OpenWrt features a service called Attended Sysupgrade, which enables users to generate custom firmware builds on demand, incorporating previously installed packages and settings.
RyotaK found the security issue in OpenWrt’s image-on-demand server ASU. The service is powered by the server at sysupgrade.openwrt.org
, which enables users to request custom firmware images tailored to their device and chosen software packages. Once the image is generated and delivered, OpenWrt installs it on the device.
The issue involves two vulnerabilities. First is a truncated SHA-256 hash that allows attackers to bypass integrity checks. A malicious actor could modify the firmware without triggering an alert, allowing malicious firmware to be installed without detection.
The second flaw is a command injection vulnerability. This issue occurs when an attacker can inject malicious commands into the firmware building process. This flaw allows attackers to manipulate the creation of firmware images, potentially embedding harmful code into the firmware, giving the attacker control over devices that installed the manipulated firmware.
The OpenWrt team said there is no evidence suggesting the vulnerability affected images from downloads.openwrt.org
. But since their visibility is limited to the past 7 days, users are advised to install a newly generated image to replace any potentially insecure firmware currently installed on their devices.
Original Post URL: https://www.govinfosecurity.com/openwrt-update-flaw-exposed-devices-to-malicious-firmware-a-27017
Category & Tags: –
Views: 3