Focusing on source code security, gathering the latest information from home and abroad!Compiled by Qihoo 360 Code Guardian Team
Guido Vranken, a researcher from ForAllSecure, discovered a Remote Code Execution (RCE) vulnerability (CVE-2020-7982) that has existed for 3 years in the Linux-based open-source operating system OpenWrt, and released technical details and a PoC.
OpenWrt is an operating system widely used in routers, home gateways, and other embedded devices that route network traffic. The vulnerability exists in the OPKG package manager of OpenWrt, caused by an incorrect integrity check of packages downloaded via the SHA-256 checksum embedded in the signed repository index by the OPKG package manager.
If the victim’s system has the “opkg install” command enabled, this flaw can allow a remote man-in-the-middle attacker to intercept the target device’s communications and execute arbitrary code by tricking the system into downloading malicious packages or software updates without verification.
If successfully exploited, a remote attacker could gain full control over the target OpenWrt network device, thereby controlling the network traffic it manages.
After discovering this RCE vulnerability that has existed for three years, Vranken responsibly informed the OpenWrt development team. Vranken explained that when the checksum contains any leading spaces, the vulnerable version of OpenWrt skips the integrity check of the downloaded package and continues with the installation task.
The OpenWrt team pointed out, “Since OPKG runs as root and has write permissions to the entire file system, it is possible to inject arbitrary code by crafting a fake .ipk package with a malicious payload.”
Due to the reliance on digital signature files for integrity when downloading files over insecure HTTP connections, this vulnerability can be exploited remotely.
Additionally, to exploit this vulnerability, an attacker needs to provide a malicious package that is the same size as specified in the package list on downloads.openwrt.org.
The OpenWrt team noted that the affected versions are 18.06.0 to 18.06.6, 19.07.0, and LEDE 17.01.0 to 17.01.7.
Vranken mentioned in a blog post, “As a temporary measure, OpenWRT removed the spaces from the SHA256sum shortly after receiving the vulnerability report. However, this is not a long-term solution, as attackers can provide an outdated package list signed by OpenWRT maintainers.”
Therefore, it is recommended that affected users update their device firmware to the recently released OpenWrt 18.06.7 and 19.07.1.
Recommended Reading
Drupal updates open-source editor CKEditor, fixing two XSS vulnerabilities
WhiteSource releases the “2019 Open Source Component Security Vulnerability Status Report”: Which language is the safest?
Original Link
https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html
Image Source: Pixabay License
This article is compiled by Qihoo 360 Code Guardian and does not represent the views of Qihoo 360. Please indicate “Reprinted from Qihoo 360 Code Guardian www.codesafe.cn” when sharing.
Qihoo 360 Code Guardian (codesafe)
China’s first product line focused on software development security.