OpenWrt developer team has fixed a dangerous vulnerability that allowed an attacker to remotely execute arbitrary code and gain complete control over a targeted device.

OpenWrt (OPEN Wireless RouTer) is an open source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. OpenWrt can run on various types of devices, including CPE routers, residential gateways, smartphones, pocket computers, and laptops.

The bug was assigned the CVE identifier CVE-2020-7982. The vulnerability in the package list parse logic of OpenWrt's opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts.

In order to exploit this flaw, an attacker must either be in a position to intercept and replace communication between the device and downloads.openwrt.org, or control the DNS server used by the device to make downloads.openwrt.org point to a web server under the attacker’s control.

“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt team explained.

The CVE-2020-7982 vulnerability affects OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases. The older OpenWrt versions (e.g. OpenWrt 15.05 and LEDE 17.01) will not receive a fix as they are not supported any more.