Full Report
A security flaw has been disclosed in OpenWrt's Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages. The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the
Analysis Summary
# Vulnerability: Critical OpenWrt ASU Firmware Injection via Command Injection and SHA-256 Hash Collision
## CVE Details
- CVE ID: CVE-2024-54143
- CVSS Score: 9.3 (Critical)
- CWE: Not specified in the text, but relates to Command Injection and potential improper handling of cryptographic material/integrity checks.
## Affected Systems
- Products: OpenWrt Attended Sysupgrade (ASU) feature
- Versions: Prior to ASU version 920c8a1
- Configurations: Any system utilizing the Attended Sysupgrade feature that processes attacker-controlled build requests.
## Vulnerability Description
The vulnerability exists within OpenWrt's Attended Sysupgrade (ASU) functionality. It is a combination of a command injection flaw present in the `imagebuilder` image and a specific weakness related to truncated SHA-256 hashes included in the build request hash. An unauthenticated attacker can submit crafted package lists in build requests. This allows the attacker to:
1. Inject arbitrary commands into the build process, potentially leading to the creation of malicious firmware images signed with the legitimate build key.
2. Leverage a 12-character SHA-256 hash collision associated with the build key to serve a previously generated malicious image in place of a legitimate one requested by a user/system.
This poses a significant supply chain risk.
## Exploitation
- Status: PoC available (technical breakdown provided by researcher RyotaK); exploitation in the wild status is unknown ("not known if the vulnerability was ever exploited in the wild").
- Complexity: Low (No authentication required to exploit).
- Attack Vector: Network (Requires the ability to submit build requests).
## Impact
- Confidentiality: High (Malicious firmware could lead to information disclosure).
- Integrity: High (Allows modification/replacement of firmware with malicious versions signed by the legitimate build key).
- Availability: High (Compromised firmware can disrupt device operation).
## Remediation
### Patches
- Users should update ASU to version **920c8a1** or newer.
### Workarounds
- The primary recommendation is to update immediately. A known workaround relies on the prerequisite that "An attacker needs the ability to submit build requests containing crafted package lists." Removing the possibility for external/unauthenticated entities to submit ASU build requests would mitigate the immediate threat vector, though patching is preferred.
## Detection
- Detection focuses on monitoring suspicious build requests sent to ASU endpoints, especially those containing unusual package lists that might attempt to trigger command injection or hash collisions.
- No specific IOCs were listed, but monitoring for anomalous build processes or unexpected firmware signatures should be prioritized post-patch.
## References
- Vendor Advisory (OpenWrt): hxxps://openwrt.org/advisory/2024-12-06
- Researcher Breakdown: hxxps://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/
- Security Advisory (GitHub): hxxps://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q