CVE-2024-54143: OpenWrt Sysupgrade Vulnerability Explained
A critical vulnerability in the OpenWrt Attended Sysupgrade function, used to generate custom firmware images, could have been exploited to distribute malicious versions.
OpenWrt, a Linux-based operating system designed for routers, access points, and IoT devices, is widely adopted as a replacement for factory firmware due to its customizability and support for various brands, including ASUS, D-Link, and Zyxel.
The vulnerability, identified as CVE-2024-54143 and assigned a CVSS score of 9.3, was discovered by Flatt Security researchers during a routine update of a home router. This flaw enables arbitrary command execution through improper input handling in the sysupgrade.openwrt.org service.
Additionally, another issue was identified in the service: the use of a truncated 12-character SHA-256 hash for build caching, which weakens the security mechanism. This flaw allows attackers to generate requests that reuse cache keys from legitimate firmware builds, potentially compromising the integrity of the firmware.
Together, these vulnerabilities could be exploited to alter firmware images and replace them with malicious versions. Following a private report, the OpenWrt team immediately disabled the sysupgrade.openwrt.org service, addressed the vulnerabilities, and restored the platform within three hours on December 4.
Developers assert that exploitation of the vulnerabilities is unlikely and that images hosted on the primary download server remain uncompromised. However, since available logs cover only the past seven days, all users are strongly advised to update the firmware on their devices.
Recommendations for Users
- Update the firmware versions on your routers.
- If using a publicly accessible or self-hosted instance of the ASU service, update it immediately.
- Even within the same firmware version, perform an update to enhance security.
The vulnerabilities have existed long enough to consider all previously built images potentially compromised. Following these recommendations will help minimize risks and mitigate the possibility of exploitation.
