Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143)

Fri Dec 6 23:38:37 PST 2024

DESCRIPTION

Due to the combination of command injection in the image builder and the
truncated SHA-256 hash included in the build request hash, an attacker can
pollute the legitimate image by providing a package list that causes a hash
collision. The issue consists of two main components:

 1. Command Injection in Imagebuilder

 User-supplied package names are incorporated into `make` commands without
 proper sanitization, allowing malicious users to inject arbitrary commands
 into the build process. This results in the production of malicious firmware
 images signed with the legitimate build key.

 2. Truncated SHA-256 Hash Collisions

 The request hashing mechanism truncates SHA-256 hashes to 12 characters,
 significantly reducing entropy and enabling attackers to generate collisions.
 Exploiting this allows a previously built malicious image to replace
 legitimate ones, compromising the artifact cache.

Combined, these vulnerabilities enable attackers to serve compromised firmware
images via the Attended SysUpgrade service, affecting the integrity of
delivered builds.

The issue has been assigned CVE-2024-54143. For details, visit https://www.cve.org/CVERecord?id=CVE-2024-54143

REQUIREMENTS

An attacker needs the ability to submit build requests with crafted package
lists. No authentication is required to exploit these vulnerabilities. By
injecting commands and causing hash collisions, attackers can serve malicious
images in place of legitimate ones.

IMPACT

Attackers can compromise the build artifacts delivered via
sysupgrade.openwrt.org, potentially leading to malicious firmware being
installed during the attended firmware upgrade process.

MITIGATIONS

The vulnerabilities have been fixed in the following commits:

- commit deadda8097d4 ("build_request: security: critical: fix user input validation")
  https://github.com/openwrt/asu/commit/deadda8097

- commit d4c9e8b555ee ("util: security: critical: use full hash length")
  https://github.com/openwrt/asu/commit/d4c9e8b555

AFFECTED VERSIONS

All versions of the Attended SysUpgrade server relying on truncated hashes and
unsanitized package input are affected. This includes versions between the
following commits:

- commit c10687bd5ac5 ("rewrite to fastapi")
  https://github.com/openwrt/asu/commit/c10687b

- commit 920c8a13d97b ("chore: cleanups and OpenWrt One as default")
  https://github.com/openwrt/asu/commit/920c8a1

CREDITS

This issue was identified and responsibly disclosed by security researcher
@RyotaK from Flatt Security Inc. and fixed by Paul Spooren (@aparcar).

TIMELINE

- 2024-12-04  02:56 UTC: Issue reported by @Ry0taK
- 2024-12-04 ~07:00 UTC: Official instance stopped by @aparcar
- 2024-12-04  09:42 UTC: Fix committed and deployed by @aparcar
- 2024-12-04  10:38 UTC: Investigation into potential exploitation (negative result for last 7 days)
- 2024-12-04 ~11:00 UTC: Known maintainers of ASU instances informed
- 2024-12-05  21:57 UTC: Email to OpenWrt project members
- 2024-12-06 ~12:00 UTC: Release of specific commit showing the issue

REFERENCES

- CVE-2024-54143: https://www.cve.org/CVERecord?id=CVE-2024-54143
- Build artifact poisoning via truncated SHA-256 hash and command injection (GHSA): https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-announce/attachments/20241207/aff35a96/attachment.sig>