OpenWrt vulnerability puts routers and other embedded devices at risk

Yesterday, ForAllSecure published a blog post by Guido Vranken detailing a vulnerability in OpenWrt, a Linux-based operating system for embedded devices that route network traffic. The vulnerability is found in OpenWrt’s opgk utility, which is used to install or update software. opkg pulls lists of installation packages from the OpenWrt website via an unencrypted HTTP connection. The package lists are digitally signed with a SHA256 hash by the OpenWrt maintainers, which the opkg installer checks to ensure the package list has not been tampered with.

However, there is a bug in the code that runs this check. A leading space in the checksum will cause opkg to skip the code that checks the integrity of the package and go straight to installation. Thus, a remote man-in-the-middle attacker could intercept the transmission of package lists and replace a package with a malicious one. The malicious package could then bypass the check, giving the attacker control over the device and the network traffic routed through it. Vranken explains how such a package could be created:

The sole constraint to reckon with is that the file size of compromised package must match theĀ SizeĀ field in the package list.

Doing this is trivial:

  • Create a package that is smaller than the original
  • Compute the size difference between the original package and the compromised package
  • Append this amount of zero bytes to the end of the compromised package

According to Vranken, this bug appeared all the way back in February of 2017. The vulnerability appears in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-7982, and has a vulnerability score of 8.1 (high). OpenWrt was alerted to the vulnerability and has released updates that contain a fix. Devices running OpenWrt should be updated to the latest version of the operating system or should have their opkg packages updated.

AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are affected. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases.

0 0 vote
Article Rating
Nathan Wasson

Inquiring mind, tech journalist, car enthusiast, gamer.

Subscribe
Notify of
guest
5 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Tarrasik
Tarrasik
3 months ago

Thanks for the hot tip. I spent the afternoon updating my Linksys WRT1900AC bios. I’m glad I did, there are some new features with the new bios.

pogsnet
pogsnet
3 months ago

I like DDWrt and OpenWrt. But there is an issue everywhere even in closed system.

chuckula
chuckula
3 months ago

I dunk my router in hot soapy water for a thorough cleaning at least 5 times a day.

This router is fully protected from Coronavirus and any men in the middle!

Krogoth
Krogoth
3 months ago
Reply to  chuckula

Did you know that Intel already cancelled support and security on their networking products?

chuckula
chuckula
3 months ago
Reply to  Krogoth

Nice try Krogoth.

But here at Intel we have now ascended to a higher plane of existence where we cancel support for OTHER PEOPLE’S products.

5
0
Would love your thoughts, please comment.x
()
x

Pin It on Pinterest

Share This