Details about the Vulnerabilities in ASU instances (Attended SysUpgrade) of OpenWrt. The detected vulnerabilities allow attackers to compromise artifacts builds distributed via sysupgrade.openwrt.org servers or third-party ASU servers, facilitating the installation of malicious firmware on victims' devices.
The ASU service is a critical tool that allows OpenWrt users to generate firmware updates tailored to their systems without losing installed configurations or packages. Users can perform these updates using a web interface or a command-line tool, making the process accessible and efficient. However, this accessibility also introduces risks, as the absence of authentication mechanisms in requests to the server leaves a door open for attackers to exploit the system.
The vulnerable component, ASU Server, is said to be responsible for managing requests, starting the automatic image compilation process using ImageBuilder, and also storing these images in a cache for reuse. The use of the cache, although efficient, is the key to the problem, since the integrity and origin of the stored images are not verified.
El Attack leverages core functionality of ASU service, that allows users to generate custom firmware images through requests sent without authentication. An attacker can manipulate these requests by introducing a specially crafted package list to replace legitimate images requested by other users with previously generated malicious versions. This is possible due to how the ASU server manages the image generation process and cache.
How does the attack work?
- The attacker sends a request to the ASU server, which does not require authentication.
- Manipulates the package list to insert already generated malicious images into the system.
- When another user makes a legitimate request for a similar image, the server, instead of generating a new image, delivers the malicious version from its cache.
The attack is said to have been facilitated by a change made on July 8 and fixed on December 4. To mitigate the impact and secure the ASU service, OpenWrt used separate servers, isolated from the project's main systems, without access to sensitive resources such as SSH keys and certificates used to digitally sign images.
El The attack was made possible by two vulnerabilities :
- Vulnerability in the request handler build_reques.py: which allowed an attacker to replace commands in the build process by passing specially formatted package names. Failure to properly check package names for special characters before using them as arguments to the make utility allowed attackers to inject malicious commands during the firmware image creation process. As a result, an attacker could generate malicious images on the server, signed with the correct assembly key.
- Vulnerability in util.py library related to the SHA-256 hash: In this case, the SHA-256 hashes used to verify images firmware ready in cache were reduced to just 12 characters, making the entropy level significantly lowThis reduction allowed an attacker to use collision selection techniques to generate a malicious image whose hash legitimately matched that of a valid image. This, combined with the Imagebuilder vulnerability, allowed the attacker to "pollute" the ASU server cache and return malicious images to normal users making legitimate requests.
Finally, it is mentioned that, although the OpenWrt developers consider that la Prob that these vulnerabilities have been effectively exploited is close to zero, it is recommended that ASU users replace the firmware of OpenWrt on their devices with the same version, as a precaution.
If you are interested in knowing more about it, you can check the details in the following link