25 March 2020

Critical RCE-flaw puts OpenWrt-based network devices at risk of takeover


Critical RCE-flaw puts OpenWrt-based network devices at risk of takeover

OpenWrt developer team has fixed a dangerous vulnerability that allowed an attacker to remotely execute arbitrary code and gain complete control over a targeted device.

OpenWrt (OPEN Wireless RouTer) is an open source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. OpenWrt can run on various types of devices, including CPE routers, residential gateways, smartphones, pocket computers, and laptops.

The bug was assigned the CVE identifier CVE-2020-7982. The vulnerability in the package list parse logic of OpenWrt's opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts.

In order to exploit this flaw, an attacker must either be in a position to intercept and replace communication between the device and downloads.openwrt.org, or control the DNS server used by the device to make downloads.openwrt.org point to a web server under the attacker’s control.

“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt team explained.

The CVE-2020-7982 vulnerability affects OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases. The older OpenWrt versions (e.g. OpenWrt 15.05 and LEDE 17.01) will not receive a fix as they are not supported any more.

Back to the list

Latest Posts

Twitch downplays extent of the recent breach, says only small number of customers affected

Twitch downplays extent of the recent breach, says only small number of customers affected

Twitch said that no login credentials or full credit card info data belonging to users or streamers were exposed in the data breach.
18 October 2021
REvil goes off the radar after group’s Tor sites were hijacked

REvil goes off the radar after group’s Tor sites were hijacked

At present, it is unknown who compromised the gang servers.
18 October 2021
US security agencies say ransomware hackers targeted 3 different US water facilities in 2021

US security agencies say ransomware hackers targeted 3 different US water facilities in 2021

Over the past few months, hackers have targeted wastewater plants in California, Maine and Nevada with ransomware attacks.
18 October 2021