Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)

A logic flaw in LuCI's HTTP routing component led to ineffective CSRF token testing for various request endpoints, specifically ones using the arcombine() dispatch action.

This allows 3rd party web pages running in the same browser session as an active LuCI login session to perform unintended operations on the device without user intervention, such as changing firewall rules or reconfiguring the network.

In order to exploit this vulnerability, a user needs to be logged into LuCI while visiting malicious websites in the same browser session, e.g. within a different tab.

To fix this issue, update the affected LuCI package using the command below.

 opkg update; opkg upgrade luci-base

The fix is contained in the following and later versions:

• OpenWrt master: git-19.282.28544-f8c6eb6
• OpenWrt 19.07: git-19.282.28544-f8c6eb6
• OpenWrt 18.06: git-19.282.28671-ee38da9

To workaround the problem, avoid visiting malicious sites while being logged into LuCI. Changing the default router IP and hostname can also help to mitigate the issue somewhat as CSRF exploits require predictable URL targets to work.

To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4 are affected.

The fixed LuCI packages are integrated in the OpenWrt 18.06.5, OpenWrt 19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

The issue has been reported by Abhinav Mohanty <amohant1 at uncc.edu>, Parag Mhatre <pmhatre1 at uncc.edu> and Dr. Meera Sridhar <msridhar at uncc.edu> from the University of North Carolina, Charlotte on 8th October 2019.

The issue has been fixed by Jo-Philipp Wich <jo at mein.io>

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17367
• https://github.com/openwrt/luci/commit/f8c6eb67cd9da09ee20248fec6ab742069635e47
• https://github.com/openwrt/luci/commit/ee38da958abeceb31fbd1f3b8e42afe5897dde7f