A critical vulnerability in OpenWrt’s firmware upgrade system has been recently unveieled by the security researcher RyotaK from Flatt Security Inc..
The exploit, which combines a truncated SHA-256 collision with a command injection technique, could have potentially compromised the entire OpenWrt supply chain.
The vulnerability was discovered in the ‘sysupgrade.openwrt.org’ service, which allows users to build and download custom firmware images.
RyotaK found that the service was susceptible to two key issues:-
- Command Injection: The researcher identified a flaw in the way the service handled user-provided package lists, allowing arbitrary command execution within the build environment.
- SHA-256 Collision: A more insidious problem lay in the caching mechanism. The service used a truncated SHA-256 hash (only 12 characters) of the package list as a cache key. This truncation significantly reduced the hash space, making collisions feasible.
Technical Analysis
By combining these vulnerabilities, an attacker could potentially force the server to return malicious firmware to users requesting legitimate package combinations. This attack vector posed a severe threat to the integrity of OpenWrt’s distribution system.
The discovery process involved sophisticated techniques, including GPU-accelerated hash cracking using a modified version of the Hashcat tool.
RyotaK successfully generated a collision within an hour using an RTX 4090 graphics card, demonstrating the practicality of the attack.
Upon responsibly disclosing the vulnerabilities, the OpenWrt team acted swiftly. They temporarily suspended the ‘sysupgrade.openwrt.org’ service, investigated the issue, and deployed a fix within three hours.
The team also issued a public announcement, urging users to check their devices for potential compromise.
This incident highlights the ongoing challenges in securing software supply chains, even for well-established open-source projects like OpenWrt.
It underscores the importance of rigorous security audits and the potential risks associated with user-interactive build systems.
The discovery emphasizes the need for robust hashing practices in security-critical applications.
As the Internet of Things continues to expand, with OpenWrt powering numerous routers and embedded devices, this vulnerability is an alarm for both developers and users to remain vigilant about firmware integrity and update processes.
