CVE-2024-54143: OpenWRT "asu" Image Server Request Hashing Vulnerability and Exploit

OpenWRT is a popular open-source Linux operating system used on many embedded devices, such as routers and other networking equipment. It is known for its customization, flexibility, and high performance. OpenWRT project maintains an image on demand server named "asu" to ease the process of distributing and applying software updates to the devices running OpenWRT.

In this blog post, we will discuss a newly uncovered vulnerability, CVE-2024-54143, in the request hashing mechanism of the openwrt/asu image server. This vulnerability allows an attacker to poison the artifact cache of the server and deliver compromised images to unsuspecting users.

Vulnerability Details

The openwrt/asu system processes image building requests and takes care of fetching the appropriate software packages and integrating them into a new firmware image. To avoid redundant image building operations, the server calculates a hash based on the incoming request parameters and checks if an existing image with the same hash is available in the cache.

However, the request hashing mechanism only uses the first 12 characters of a SHA-256 hash, which significantly reduces entropy and makes it feasible for an attacker to generate collisions. By exploiting this vulnerability, an attacker can use a previously built malicious image in place of a legitimate one, essentially "poisoning" the artifact cache. As a result, users downloading and installing these compromised images risk giving the attacker unauthorized access to their devices.

Exploit

To demonstrate the exploit, let's consider an attacker who wants to tamper with the OpenWRT firmware version 18.06.5 for a TP-Link Archer C7 v2 router. The attacker needs to generate a malicious request that produces a truncated hash collision with the hash of a legitimate request for the same firmware version.

The legitimate request can be represented as follows

{
  "version": "18.06.5",
  "model": "tplink_archer-c7-v2",
  ...
}

The malicious request can be crafted by adding specific spoofed parameters such that it yields the same truncated hash, for example:

{
  "version": "18.06.5",
  "model": "tplink_archer-c7-v2",
  "malicious_param": "XyZ123",
  ...
}

Once a collision is found, the attacker can submit the malicious request to the openwrt/asu server, which then generates a compromised firmware image with the attacker's payload and stores it in the cache, using the truncated hash as a key.

When an unsuspecting user requests the firmware image for their TP-Link Archer C7 v2 router, the openwrt/asu server, recognizing the truncated hash collision, serves the compromised firmware from the cache.

Mitigation

The OpenWRT team has been made aware of this vulnerability and addressed it in commit 920c8a1. If you're running an instance of openwrt/asu, it's crucial to update it to the patched version to mitigate the risk of delivering malicious firmware images to your users.

References

1. OpenWRT website: https://openwrt.org/
2. OpenWRT "asu" source code: https://github.com/aparcar/asu
3. Commit 920c8a1: https://github.com/aparcar/asu/commit/920c8a1

Conclusion

CVE-2024-54143 highlights the importance of software integrity and the risks associated with cache poisoning. Regularly updating, auditing, and monitoring your software infrastructure is vital to protecting your assets from cyber threats.

Timeline

Published on: 12/06/2024 17:15:12 UTC