OpenWrt’s Attended Sysupgrade (ASU) feature has a severe security vulnerability, potentially exposing users to significant cybersecurity risks. The flaw, CVE-2024-54143, represents a critical threat to the popular open-source Linux-based operating system widely used in networking devices.
Vulnerability Details
Security researcher RyotaK from Flatt Security first disclosed the vulnerability on December 4, 2024, with the issue receiving a staggering CVSS score of 9.3 out of 10 – a rating that signals extreme severity. The technical intricacies of the exploit revolve around a complex combination of command injection and hash collision vulnerabilities.
How the Exploit Works
The vulnerability allows potential attackers to manipulate the firmware build process through a sophisticated method:
- Inject arbitrary commands into the imagebuilder image
- Exploit a weakness in the SHA-256 hash verification
- Potentially distribute malicious firmware packages signed with legitimate build keys
What makes this vulnerability particularly dangerous is its supply chain attack potential. Threat actors could:
- Generate malicious firmware images
- Replace legitimate images with compromised versions
- Execute unauthorized commands during the build process
Technical Breakdown
According to OpenWrt’s maintainers, the exploit requires an attacker to:
- Submit build requests with crafted package lists
- Leverage a 12-character SHA-256 hash collision
- Manipulate the firmware generation process without authentication
Mitigation and Recommendations
OpenWrt has already patched the vulnerability in ASU version 920c8a1. Security experts strongly recommend that users:
- Update to the latest version immediately
- Verify firmware sources
- Monitor for any suspicious system behaviors
Expert Insight
RyotaK noted that while it remains uncertain whether the vulnerability was previously exploited, its potential impact cannot be understated. The researcher emphasized the importance of prompt updates and vigilant system management.
