OpenWrt Vulnerability Could Be Used to Trick Users into Installing Fake Packages

A critical remote code execution vulnerability was found in OpenWrt, a Linux-based operating system designed for embedded devices, such as routers.

Embedded devices used to route traffic are essential pieces of hardware that require greater scrutiny than most other devices in the Internet of Things ecosystem. When such devices are compromised, cybercriminals can access internal networks and a host of additional hardware. Vulnerabilities are treated seriously and need to be fixed as soon as possible.

OpenWrt is a Linux-based open-source system, and it’s either forked into distros used by companies or installed on compatible devices. It’s under constant development, and it even has its own tool that can help researchers find vulnerabilities, which is exactly what happened.

Patches and updates are served to users either locally or remotely, and the operating system uses a tool named opkg to download and run the packages. It turns out that OS could be tricked into running packages, even when they were invalid.

“My initial hunch was that opkg would download the package, unpack it to a temporary directory, and only then verify the SHA256 hash before definitively installing it to the system,” said the security researcher. “I suspected that the unpacker couldn’t deal with malformed data, like the file with random bytes served from my web server. Further inspection showed that the SHA256 hash wasn’t checked at all, which is the basis of the vulnerability at hand.”

The vulnerability was introduced three years ago into the main branch of the OS, and it’s been active ever since. Basically, opkg would attempt to unpack and install any package it downloads. Creating a proof of concept wasn’t difficult for the researcher.

The OpenWRT team removed the space in the SHA256sum from the package list as a temporary measure, and the issue was fixed in OpenWRT 18.06.7 and 19.07.1. Users need to upgrade their operating systems as soon as possible.