[OpenWrt-Devel] Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)
Hauke Mehrtens
hauke at hauke-m.de
Wed Nov 13 17:34:46 EST 2019
Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)
DESCRIPTION
A logic flaw in LuCI's HTTP routing component led to ineffective CSRF
token testing for various request endpoints, specifically ones using
the `arcombine()` dispatch action.
This allows 3rd party web pages running in the same browser session
as an active LuCI login session to perform unintended operations on
the device without user intervention, such as changing firewall rules
or reconfiguring the network.
REQUIREMENTS
In order to exploit this vulnerability, a user needs to be logged into
LuCI while visiting malicious websites in the same browser session, e.g.
within a different tab.
MITIGATIONS
To fix this issue, update the affected LuCI package using the command
below.
`opkg update; opkg upgrade luci-base`
The fix is contained in the following and later versions:
- OpenWrt master: git-19.282.28544-f8c6eb6
- OpenWrt 19.07: git-19.282.28544-f8c6eb6
- OpenWrt 18.06: git-19.282.28671-ee38da9
To workaround the problem, avoid visiting malicious sites while being
logged into LuCI. Changing the default router IP and hostname can also
help to mitigate the issue somewhat as CSRF exploits require predictable
URL targets to work.
AFFECTED VERSIONS
To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4
are affected.
The fixed LuCI packages are integrated in the OpenWrt 18.06.5, OpenWrt
19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
The issue has been reported by Abhinav Mohanty <amohant1 at uncc.edu>,
Parag Mhatre <pmhatre1 at uncc.edu> and Dr. Meera Sridhar
<msridhar at uncc.edu> from the University of North Carolina, Charlotte on
8th October 2019.
The issue has been fixed by Jo-Philipp Wich <jo at mein.io>
REFERENCES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17367
https://github.com/openwrt/luci/commit/f8c6eb67cd9da09ee20248fec6ab742069635e47
https://github.com/openwrt/luci/commit/ee38da958abeceb31fbd1f3b8e42afe5897dde7f
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list