1. Forum
  2. tqwNet
  3. TQW LINUX

  • A vulnerability in the OpenWrt attended sysupgrade server

    From LWN.net@1337:1/100 to All on Monday, December 09, 2024 15:00:06
    A vulnerability in the OpenWrt attended sysupgrade server

    Date:
    Mon, 09 Dec 2024 14:48:54 +0000

    Description:
    The OpenWrt project has issued an
    advisory regarding a vulnerability found in its Attended Sysupgrade
    Server that could allow compromised packages to be installed on a router by
    an attacker. No official OpenWrt images were affected, and the
    vulnerability is not known to be exploited, but users who have installed
    images created with an instance of this server are recommended to
    reinstall. For a detailed description of how the exploit works, see this
    blog post . Then, as the hash collision occurred, the server returns the
    overwritten build artifact to the legitimate request that requests
    the following packages. [...] By abusing this, an attacker could
    force the user to upgrade to the
    malicious firmware, which could lead to the compromise of the
    device.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1001441/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)