Attended Sysupgrade Server CVE-2024-54143

Paul Spooren mail at aparcar.org
Sat Dec 7 05:34:58 PST 2024 

Hey again,

The security researcher published an article describing the details, a good read indeed.

https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/

Best,
Paul

> On 6. Dec 2024, at 23:42, Christian Marangi (Ansuel) <ansuelsmth at gmail.com> wrote:
> 
> Forwarding this also to devel list in case anyone might miss this.
> 
> ---
> Hi,
> 
> last Wednesday we got notified of a security issue of the sysupgrade
> server ASU[1]. It affected all ASU instances including the the
> official instance[2].
> Official ASU instances runs on dedicated servers separate from OpenWrt
> Buildbot and doesn't have access to any sensible resource (SSH Keys,
> Sign Certs...)
> 
> NO OFFICIAL IMAGES from the downloads.openwrt.org were AFFECTED nor
> any custom images from 24.10.0-rc2.
> 
> Available build logs for other custom images were checked and NO
> MALICIOUS REQUEST FOUND, however due to automatic cleanups no builds
> older than 7 days could be checked. Affected server is reset and
> reinizialized from scratch.
> Although the possibility of compromised images is near 0, it is
> SUGGESTED to the user to make an INPLACE UPGRADE to the same version
> to ELIMINATE any possibility of being affected by this.
> 
> If you run a public, self hosted instance of ASU, please update it
> immediately. (or apply the following commits [3] [4])
> 
> Please find all details below, on GitHub[5] or our own security tracker[6].
> 
> Thanks to RyotaK from Flatt Security Inc. for finding and report this issue!
> 
> Please be safe,
> Paul
> 
> [1]: https://github.com/openwrt/asu
> [2]: https://sysupgrade.openwrt.org
> [3]: https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b
> [4]: https://github.com/openwrt/asu/commit/d4c9e8b555eee52f17698e9cea05dc45112dd31b
> [5]: https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q
> [6]: https://openwrt.org/advisory/2024-12-06
> 
> ---
> 
> Below is a copy of the CVE detail and Timeline
> 
> # Summary
> 
> Due to the combination of the command injection in the
> `openwrt/imagebuilder` image and the truncated SHA-256 hash included
> in the build request hash, an attacker can pollute the legitimate
> image by providing a package list that causes the hash collision. The
> issue consists of two main components:
> 
> 1. **Command Injection in Imagebuilder**: During image builds,
> user-supplied package names are incorporated into `make` commands
> without proper sanitization. This allows malicious users to inject
> arbitrary commands into the build process, resulting in the production
> of malicious firmware images signed with the legitimate build key.
> 
> 2. **Truncated SHA-256 Hash Collisions**: The request hashing
> mechanism truncates SHA-256 hashes to only 12 characters. This
> significantly reduces entropy, making it feasible for an attacker to
> generate collisions. By exploiting this, a previously built malicious
> image can be served in place of a legitimate one, allowing the
> attacker to "poison" the artifact cache and deliver compromised images
> to unsuspecting users.
> 
> Combined, these vulnerabilities enable an attacker to serve
> compromised firmware images through the ASU service, affecting the
> integrity of the delivered builds.
> 
> # Timeline
> 
> * 04.12.2024 2:56 UTC Issue reported by @Ry0taK
> * 04.12.2024 ~7:00 UTC Official instance on sysupgrade.openwrt.org
> stopped by @aparcar
> * 04.12.2024 09:42 UTC Fix committed and deployed on
> sysupgrade.openwrt.org by @aparcar
> * 04.12.2024 10:38 UTC Investigation if this was actively exploited
> based on build logs with negative result for the last seven days
> * 04.12.2024 ~11:00 UTC Inform known maintainers of ASU instances to
> upgrade immediately and expect further information soon
> * 05.12.2024 21:57 UTC Email to all OpenWrt project members asking for
> further steps
> * 06.12.2024 ~12:00 UTC Release of specific commit showing the issue
> 
> # Impact
> 
> An attacker can compromise the build artifact delivered from the
> sysupgrade.openwrt.org, allowing the malicious firmware image to be
> installed to the OpenWrt installation that uses the attended firmware
> upgrade, firmware-selector.openwrt.org, or CLI upgrade.
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20241207/d5ca3565/attachment.sig>

More information about the openwrt-devel mailing list