OpenWrt vulnerability puts routers and other embedded devices at risk

Yesterday, ForAllSecure published a blog post by Guido Vranken detailing a vulnerability in OpenWrt, a Linux-based operating system for embedded devices that route network traffic. The vulnerability is found in OpenWrt’s opgk utility, which is used to install or update software. opkg pulls lists of installation packages from the OpenWrt website via an unencrypted HTTP connection. The package lists are digitally signed with a SHA256 hash by the OpenWrt maintainers, which the opkg installer checks to ensure the package list has not been tampered with.

However, there is a bug in the code that runs this check. A leading space in the checksum will cause opkg to skip the code that checks the integrity of the package and go straight to installation. Thus, a remote man-in-the-middle attacker could intercept the transmission of package lists and replace a package with a malicious one. The malicious package could then bypass the check, giving the attacker control over the device and the network traffic routed through it. Vranken explains how such a package could be created:

The sole constraint to reckon with is that the file size of compromised package must match the Size field in the package list.

Doing this is trivial:

  • Create a package that is smaller than the original
  • Compute the size difference between the original package and the compromised package
  • Append this amount of zero bytes to the end of the compromised package

According to Vranken, this bug appeared all the way back in February of 2017. The vulnerability appears in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-7982, and has a vulnerability score of 8.1 (high). OpenWrt was alerted to the vulnerability and has released updates that contain a fix. Devices running OpenWrt should be updated to the latest version of the operating system or should have their opkg packages updated.


To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are affected. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases.

0 0 votes
Article Rating
Nathan Wasson

Inquiring mind, tech journalist, car enthusiast, gamer.

Notify of

Oldest Most Voted
Inline Feedbacks
View all comments
2 years ago

Thanks for the hot tip. I spent the afternoon updating my Linksys WRT1900AC bios. I’m glad I did, there are some new features with the new bios.

2 years ago

I like DDWrt and OpenWrt. But there is an issue everywhere even in closed system.

2 years ago
Reply to  Krogoth

Nice try Krogoth.

But here at Intel we have now ascended to a higher plane of existence where we cancel support for OTHER PEOPLE’S products.

2 years ago
Reply to  chuckula

Did you know that Intel already cancelled support and security on their networking products?

2 years ago

I dunk my router in hot soapy water for a thorough cleaning at least 5 times a day.

This router is fully protected from Coronavirus and any men in the middle!

Would love your thoughts, please comment.x

Pin It on Pinterest

Share This

Share this post with your friends!