OpenWRT RCE Bug
OpenWRT RCE Bug

Millions of devices like home routers are vulnerable to a critical flaw, that may let any hacker execute malicious code. The flaw was discovered in OpenWrt software, which is an open-source Linux based OS for embedded devices like routers. The bug found in the OPKG package can let attackers intercept the traffic and send a malicious update to users. OpenWrt responded with updates for patching this vulnerability.

OpenWRT RCE Bug
OpenWRT RCE Bug

Exploiting the flaw

A security researcher named Guido Vranken from ForAllSecure discovered this flaw, which was existing in OpenWrt devices for 3 years! It’s seen that OpenWrt installation files and updates were sent over unencrypted and insecure HTTP connections. Though passing over the insecure tunnel, these files were digitally signed to make them look legitimate.

Yet, there’s a flaw. Before applying them, OpenWrt verifies these files’ integrity against an SHA-256 hash, where the two files should have a matched checksum. If not, they should be discarded. Here, Vranken discovered that the SHA-256sum field is not read correctly due to a simple programming error. This turned out to be a bug whenever there’s an installation of these OpenWrt files.

This gives a chance to the attacker for the creation of a similar file, that matches the required size, thus fooling the process and replacing it with a malicious file. This I being sent to users’ routers which gives the attacker a chance to dump payload via RCE attacks. This bug was identified as CVE-2020-7982 in early 2017 and is affecting versions 18.06.0 through 18.06.6 and 19.07.0 OpenWrt.

Updating rectifies all

Updating to the latest security versions is the only remedy. OpenWRT has responded to Guido Vranken’s reports and immediately removed the space in the SHA256sum from the package list. This change can be enabled by updating OpenWrt to versions
18.06.7 or 19.07.1.

Source: ForAllSecure

LEAVE A REPLY

Please enter your comment!
Please enter your name here