Attended Sysupgrade Server CVE-2024-54143
Goetz Goerisch
ggoerisch at gmail.com
Fri Dec 6 22:35:15 PST 2024
Dear Christian and all who were involved,
Thank you!
Is there an ETA when the official sysupgrade server will be available again?
Currently it is not reachable.
Thank you very much.
Goetz
Am Fr., 6. Dez. 2024 um 23:42 Uhr schrieb Christian Marangi (Ansuel)
<ansuelsmth at gmail.com>:
>
> Forwarding this also to devel list in case anyone might miss this.
>
> ---
> Hi,
>
> last Wednesday we got notified of a security issue of the sysupgrade
> server ASU[1]. It affected all ASU instances including the the
> official instance[2].
> Official ASU instances runs on dedicated servers separate from OpenWrt
> Buildbot and doesn't have access to any sensible resource (SSH Keys,
> Sign Certs...)
>
> NO OFFICIAL IMAGES from the downloads.openwrt.org were AFFECTED nor
> any custom images from 24.10.0-rc2.
>
> Available build logs for other custom images were checked and NO
> MALICIOUS REQUEST FOUND, however due to automatic cleanups no builds
> older than 7 days could be checked. Affected server is reset and
> reinizialized from scratch.
> Although the possibility of compromised images is near 0, it is
> SUGGESTED to the user to make an INPLACE UPGRADE to the same version
> to ELIMINATE any possibility of being affected by this.
>
> If you run a public, self hosted instance of ASU, please update it
> immediately. (or apply the following commits [3] [4])
>
> Please find all details below, on GitHub[5] or our own security tracker[6].
>
> Thanks to RyotaK from Flatt Security Inc. for finding and report this issue!
>
> Please be safe,
> Paul
>
> [1]: https://github.com/openwrt/asu
> [2]: https://sysupgrade.openwrt.org
> [3]: https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b
> [4]: https://github.com/openwrt/asu/commit/d4c9e8b555eee52f17698e9cea05dc45112dd31b
> [5]: https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q
> [6]: https://openwrt.org/advisory/2024-12-06
>
> ---
>
> Below is a copy of the CVE detail and Timeline
>
> # Summary
>
> Due to the combination of the command injection in the
> `openwrt/imagebuilder` image and the truncated SHA-256 hash included
> in the build request hash, an attacker can pollute the legitimate
> image by providing a package list that causes the hash collision. The
> issue consists of two main components:
>
> 1. **Command Injection in Imagebuilder**: During image builds,
> user-supplied package names are incorporated into `make` commands
> without proper sanitization. This allows malicious users to inject
> arbitrary commands into the build process, resulting in the production
> of malicious firmware images signed with the legitimate build key.
>
> 2. **Truncated SHA-256 Hash Collisions**: The request hashing
> mechanism truncates SHA-256 hashes to only 12 characters. This
> significantly reduces entropy, making it feasible for an attacker to
> generate collisions. By exploiting this, a previously built malicious
> image can be served in place of a legitimate one, allowing the
> attacker to "poison" the artifact cache and deliver compromised images
> to unsuspecting users.
>
> Combined, these vulnerabilities enable an attacker to serve
> compromised firmware images through the ASU service, affecting the
> integrity of the delivered builds.
>
> # Timeline
>
> * 04.12.2024 2:56 UTC Issue reported by @Ry0taK
> * 04.12.2024 ~7:00 UTC Official instance on sysupgrade.openwrt.org
> stopped by @aparcar
> * 04.12.2024 09:42 UTC Fix committed and deployed on
> sysupgrade.openwrt.org by @aparcar
> * 04.12.2024 10:38 UTC Investigation if this was actively exploited
> based on build logs with negative result for the last seven days
> * 04.12.2024 ~11:00 UTC Inform known maintainers of ASU instances to
> upgrade immediately and expect further information soon
> * 05.12.2024 21:57 UTC Email to all OpenWrt project members asking for
> further steps
> * 06.12.2024 ~12:00 UTC Release of specific commit showing the issue
>
> # Impact
>
> An attacker can compromise the build artifact delivered from the
> sysupgrade.openwrt.org, allowing the malicious firmware image to be
> installed to the OpenWrt installation that uses the attended firmware
> upgrade, firmware-selector.openwrt.org, or CLI upgrade.
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list