News

OpenWRT Contains Vulnerability That Enables Remote Code Execution

By admin
Spread the love

The open source OpenWRT operating system contains a vulnerability that allows remote code execution. This is partly because updates to OpenWRT are provided with http. Limited mitigations are now available.

Security researcher Guido Vranken discovered the vulnerability in OpenWRT, an open source operating system mainly used in embedded devices, such as routers. He published information about the vulnerability on ForAllSecure. The vulnerability allows hackers to bypass the operating system’s update verification, allowing them to send their own custom update to a device. This update will then be installed automatically. In this way, hackers can, for example, install malware that makes remote code execution possible.

The vulnerability is partly caused by OpenWRT updates not being provided over https channels, which would make it impossible for hackers to tamper with delivered updates. Instead, OpenWRT uses unencrypted http connections. According to Ars Technica, this is probably a deliberate choice by OpenWRT, as not all devices may be able to receive updates via https. To mitigate risk, the operating system does use sha256 checksums to verify the legitimacy of updates, but Vranken says that digital signature check can be bypassed relatively easily by adding a space to the beginning of an input string. This bug is believed to have originated in February 2017.

According to Vranken, circumventing these digital signature checks is very easy for hackers with “modest experience”, Ars Technica writes. He shares a proof-of-concept that shows that performing an attack on ForAllSecure is relatively simple. With this exploit, Vranken was able to create a server that masquerades as the legitimate OpenWRT update server.

The vulnerability is somewhat limited in scope, requiring a hacker to perform a man-in-the-middle attack or manipulate the DNS server a device uses to receive updates. This means that routers on a network that is not infected and that uses a secure DNS server cannot be directly affected. Vranken speculates that packet spoofing and arp cache poisoning may also be possible, but at the same time indicates that he has not tested this.

OpenWRT’s administrators released updates in February with limited mitigations. The mitigation requires new update installs to be sent from “a well-formed list that cannot bypass hash verification.” At the same time, OpenWRT argues that this is not a long-term solution, because hackers can also use an outdated package list to carry out the attack. The mitigations are in OpenWRT versions 18.06.7 and 19.07.1.

Facebook Notice for EU! You need to login to view and post FB Comments!
You might also like
News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

AMD: Intel’s proposal for 64bit-only x86 architecture is very interesting

News

Valve releases major Team Fortress 2 update with community maps and new taunts

News

Statcounter: Linux had more than three percent desktop market share for the first…