A recent security investigation has unveiled a critical supply chain vulnerability in OpenWrt, a popular Linux-based firmware for embedded devices.
The flaw involved a combination of SHA-256 hash collision and command injection, potentially allowing attackers to compromise devices during firmware upgrades.
The vulnerability was discovered and responsibly disclosed by RyotaK, a security engineer at Flatt Security Inc.
Command Injection in Firmware Build Process
The vulnerability originated in OpenWrt’s “Attended Sysupgrade” service, which allows users to generate customized firmware images online.
This service builds firmware based on user-specified parameters, such as device profiles and packages.
However, the process relied on user-controlled inputs that were not securely handled.
Specifically, the PACKAGES parameter was passed to a make command in the build environment without proper sanitization.
This oversight enabled attackers to inject arbitrary commands into the build process.
By crafting a malicious package name, an attacker could execute commands within the isolated container used for building firmware.
Although the container was sandboxed, this provided an entry point for further exploitation.
SHA-256 Collision Amplifies the Attack
The second aspect of the attack involved exploiting a weakness in how OpenWrt generated request hashes for caching purposes.
The system truncated SHA-256 hashes to just 12 characters (48 bits), significantly reducing the key space and making collisions feasible.
Using brute-force methods with tools like Hashcat, RyotaK demonstrated that it was possible to generate inputs that produced identical truncated hashes.
By combining this hash collision with the command injection vulnerability, an attacker could manipulate the server into returning malicious firmware artifacts for legitimate requests.
This allowed attackers to distribute compromised firmware images signed with OpenWrt’s private key, potentially leading to device takeovers.
Swift Response and Mitigation
Upon discovering the vulnerabilities, RyotaK reported them privately to the OpenWrt team via GitHub.
The team acted swiftly, temporarily disabling the affected service and releasing patches within three hours.
They also issued a public announcement urging users to verify their devices for potential compromise.
While there is no evidence that these vulnerabilities were exploited in the wild, users are advised to update their devices immediately and inspect their firmware for anomalies.
This incident highlights the critical importance of securing supply chain processes in software development.
It serves as a reminder that even widely trusted platforms like OpenWrt are not immune to sophisticated attacks leveraging multiple vulnerabilities.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=The flaw involved a combination of SHA-256 hash collision and command injection, potentially allowing attackers.){kind=link}