Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143)
Petr Štetiar
ynezz at true.cz
Fri Dec 6 23:38:37 PST 2024
DESCRIPTION
Due to the combination of command injection in the image builder and the
truncated SHA-256 hash included in the build request hash, an attacker can
pollute the legitimate image by providing a package list that causes a hash
collision. The issue consists of two main components:
1. Command Injection in Imagebuilder
User-supplied package names are incorporated into `make` commands without
proper sanitization, allowing malicious users to inject arbitrary commands
into the build process. This results in the production of malicious firmware
images signed with the legitimate build key.
2. Truncated SHA-256 Hash Collisions
The request hashing mechanism truncates SHA-256 hashes to 12 characters,
significantly reducing entropy and enabling attackers to generate collisions.
Exploiting this allows a previously built malicious image to replace
legitimate ones, compromising the artifact cache.
Combined, these vulnerabilities enable attackers to serve compromised firmware
images via the Attended SysUpgrade service, affecting the integrity of
delivered builds.
The issue has been assigned CVE-2024-54143. For details, visit https://www.cve.org/CVERecord?id=CVE-2024-54143
REQUIREMENTS
An attacker needs the ability to submit build requests with crafted package
lists. No authentication is required to exploit these vulnerabilities. By
injecting commands and causing hash collisions, attackers can serve malicious
images in place of legitimate ones.
IMPACT
Attackers can compromise the build artifacts delivered via
sysupgrade.openwrt.org, potentially leading to malicious firmware being
installed during the attended firmware upgrade process.
MITIGATIONS
The vulnerabilities have been fixed in the following commits:
- commit deadda8097d4 ("build_request: security: critical: fix user input validation")
https://github.com/openwrt/asu/commit/deadda8097
- commit d4c9e8b555ee ("util: security: critical: use full hash length")
https://github.com/openwrt/asu/commit/d4c9e8b555
AFFECTED VERSIONS
All versions of the Attended SysUpgrade server relying on truncated hashes and
unsanitized package input are affected. This includes versions between the
following commits:
- commit c10687bd5ac5 ("rewrite to fastapi")
https://github.com/openwrt/asu/commit/c10687b
- commit 920c8a13d97b ("chore: cleanups and OpenWrt One as default")
https://github.com/openwrt/asu/commit/920c8a1
CREDITS
This issue was identified and responsibly disclosed by security researcher
@RyotaK from Flatt Security Inc. and fixed by Paul Spooren (@aparcar).
TIMELINE
- 2024-12-04 02:56 UTC: Issue reported by @Ry0taK
- 2024-12-04 ~07:00 UTC: Official instance stopped by @aparcar
- 2024-12-04 09:42 UTC: Fix committed and deployed by @aparcar
- 2024-12-04 10:38 UTC: Investigation into potential exploitation (negative result for last 7 days)
- 2024-12-04 ~11:00 UTC: Known maintainers of ASU instances informed
- 2024-12-05 21:57 UTC: Email to OpenWrt project members
- 2024-12-06 ~12:00 UTC: Release of specific commit showing the issue
REFERENCES
- CVE-2024-54143: https://www.cve.org/CVERecord?id=CVE-2024-54143
- Build artifact poisoning via truncated SHA-256 hash and command injection (GHSA): https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20241207/aff35a96/attachment-0001.sig>
More information about the openwrt-devel
mailing list