Attended Sysupgrade Server CVE-2024-54143
Christian Marangi (Ansuel)
ansuelsmth at gmail.com
Fri Dec 6 14:42:06 PST 2024
Forwarding this also to devel list in case anyone might miss this.
---
Hi,
last Wednesday we got notified of a security issue of the sysupgrade
server ASU[1]. It affected all ASU instances including the the
official instance[2].
Official ASU instances runs on dedicated servers separate from OpenWrt
Buildbot and doesn't have access to any sensible resource (SSH Keys,
Sign Certs...)
NO OFFICIAL IMAGES from the downloads.openwrt.org were AFFECTED nor
any custom images from 24.10.0-rc2.
Available build logs for other custom images were checked and NO
MALICIOUS REQUEST FOUND, however due to automatic cleanups no builds
older than 7 days could be checked. Affected server is reset and
reinizialized from scratch.
Although the possibility of compromised images is near 0, it is
SUGGESTED to the user to make an INPLACE UPGRADE to the same version
to ELIMINATE any possibility of being affected by this.
If you run a public, self hosted instance of ASU, please update it
immediately. (or apply the following commits [3] [4])
Please find all details below, on GitHub[5] or our own security tracker[6].
Thanks to RyotaK from Flatt Security Inc. for finding and report this issue!
Please be safe,
Paul
[1]: https://github.com/openwrt/asu
[2]: https://sysupgrade.openwrt.org
[3]: https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b
[4]: https://github.com/openwrt/asu/commit/d4c9e8b555eee52f17698e9cea05dc45112dd31b
[5]: https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q
[6]: https://openwrt.org/advisory/2024-12-06
---
Below is a copy of the CVE detail and Timeline
# Summary
Due to the combination of the command injection in the
`openwrt/imagebuilder` image and the truncated SHA-256 hash included
in the build request hash, an attacker can pollute the legitimate
image by providing a package list that causes the hash collision. The
issue consists of two main components:
1. **Command Injection in Imagebuilder**: During image builds,
user-supplied package names are incorporated into `make` commands
without proper sanitization. This allows malicious users to inject
arbitrary commands into the build process, resulting in the production
of malicious firmware images signed with the legitimate build key.
2. **Truncated SHA-256 Hash Collisions**: The request hashing
mechanism truncates SHA-256 hashes to only 12 characters. This
significantly reduces entropy, making it feasible for an attacker to
generate collisions. By exploiting this, a previously built malicious
image can be served in place of a legitimate one, allowing the
attacker to "poison" the artifact cache and deliver compromised images
to unsuspecting users.
Combined, these vulnerabilities enable an attacker to serve
compromised firmware images through the ASU service, affecting the
integrity of the delivered builds.
# Timeline
* 04.12.2024 2:56 UTC Issue reported by @Ry0taK
* 04.12.2024 ~7:00 UTC Official instance on sysupgrade.openwrt.org
stopped by @aparcar
* 04.12.2024 09:42 UTC Fix committed and deployed on
sysupgrade.openwrt.org by @aparcar
* 04.12.2024 10:38 UTC Investigation if this was actively exploited
based on build logs with negative result for the last seven days
* 04.12.2024 ~11:00 UTC Inform known maintainers of ASU instances to
upgrade immediately and expect further information soon
* 05.12.2024 21:57 UTC Email to all OpenWrt project members asking for
further steps
* 06.12.2024 ~12:00 UTC Release of specific commit showing the issue
# Impact
An attacker can compromise the build artifact delivered from the
sysupgrade.openwrt.org, allowing the malicious firmware image to be
installed to the OpenWrt installation that uses the attended firmware
upgrade, firmware-selector.openwrt.org, or CLI upgrade.
More information about the openwrt-devel
mailing list