| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| advisory:2024-12-06 [2024/12/06 10:55] – add title aparcar | advisory:2024-12-06 [2024/12/06 12:07] – Add impact details ynezz |
|---|
| ===== DESCRIPTION ===== | ===== DESCRIPTION ===== |
| |
| Due to the combination of the command injection in the `openwrt/imagebuilder` image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components: | Due to the combination of the command injection in the openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components: |
| |
| 1. **Command Injection in Imagebuilder**: During image builds, user-supplied package names are incorporated into `make` commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. | 1. **Command Injection in Imagebuilder**: During image builds, user-supplied package names are incorporated into 'make' commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. |
| |
| 2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. | 2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. |
| An attacker needs the ability to submit build requests containing crafted package lists. No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image. | An attacker needs the ability to submit build requests containing crafted package lists. No authentication is required to exploit the vulnerabilities. By injecting commands and causing hash collisions, the attacker can force legitimate build requests to receive a previously generated malicious image. |
| |
| | ===== IMPACT ===== |
| |
| | An attacker can compromise the build artifact delivered from the [[https://sysupgrade.openwrt.org/|sysupgrade.openwrt.org]], allowing the malicious firmware image to be installed to the OpenWrt installation that uses the attended firmware upgrade, [[https://firmware-selector.openwrt.org|firmware-selector.openwrt.org]], or CLI upgrade. |
| ===== MITIGATIONS ===== | ===== MITIGATIONS ===== |
| |
| Update the ASU past commit. [[https://github.com/openwrt/asu/commit/7438c921de55c5cac605e72aa9f7c4b0468cdec2|920c8a13d97b4d4095f0d939cf0aaae777e0f87e]] | Fixed in following commits: |
| | |
| | * [[https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b|util: security: critical: use full hash length]] |
| | * [[https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b|build_request: security: critical: fix user input validation]] |
| |
| ===== AFFECTED VERSIONS ===== | ===== AFFECTED VERSIONS ===== |
| ===== CREDITS ===== | ===== CREDITS ===== |
| |
| This issue was identified and [[https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q|responsibly disclosed]] by security researcher [[https://github.com/Ry0taK|RyotaK]]. | This issue was identified and [[https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q|responsibly disclosed]] by security researcher [[https://github.com/Ry0taK|RyotaK]]. |
| | |
| | |
| | ===== TIMELINE ===== |
| | |
| | |
| | * //04.12.2024 2:56 UTC// - Issue reported by @Ry0taK |
| | * //04.12.2024 ~7:00 UTC// - Official instance on sysupgrade.openwrt.org stopped by @aparcar |
| | * //04.12.2024 09:42 UTC// - Fix committed and deployed on sysupgrade.openwrt.org by @aparcar |
| | * //04.12.2024 10:38 UTC// - Investigation if this was actively exploited based on build logs with negative result for the last seven days |
| | * //04.12.2024 ~11:00 UTC// - Inform known maintainers of ASU instances to upgrade immediately and expect further information soon |
| | * //05.12.2024 21:57 UTC// - Email to all OpenWrt project members asking for further steps |
| | * //06.12.2024 ~12:00 UTC// - Release of specific commit showing the issue |
| |
| ===== REFERENCES ===== | ===== REFERENCES ===== |