Open-source Linux-based operating system OpenWrt has issued a fix for a critical vulnerability impacting its sysupgrade server, tracked as CVE-2024-54143, which could be leveraged to facilitate malicious firmware image injections, reports SecurityWeek.
Such a flaw, which could be exploited without authentication, stems from a command injection issue in Imagebuilder that enables arbitrary command injections in the build process and truncated SHA-256 hash collisions that allow reduced entropy that ultimately results in artifact cache compromise, according to OpenWrt. "Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds. Attackers can compromise the build artifacts delivered via sysupgrade.openwrt.org, potentially leading to malicious firmware being installed during the attended firmware upgrade process," said OpenWrt, which called for the immediate application of the released patches to avert the threat of low-risk attacks resulting in compromised images.
Such a flaw, which could be exploited without authentication, stems from a command injection issue in Imagebuilder that enables arbitrary command injections in the build process and truncated SHA-256 hash collisions that allow reduced entropy that ultimately results in artifact cache compromise, according to OpenWrt. "Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds. Attackers can compromise the build artifacts delivered via sysupgrade.openwrt.org, potentially leading to malicious firmware being installed during the attended firmware upgrade process," said OpenWrt, which called for the immediate application of the released patches to avert the threat of low-risk attacks resulting in compromised images.
