Yesterday, ForAllSecure published a blog post by Guido Vranken detailing a vulnerability in OpenWrt, a Linux-based operating system for embedded devices that route network traffic. The vulnerability is found in OpenWrt’s opgk utility, which is used to install or update software. opkg pulls lists of installation packages from the OpenWrt website via an unencrypted HTTP connection. The package lists are digitally signed with a SHA256 hash by the OpenWrt maintainers, which the opkg installer checks to ensure the package list has not been tampered with.
However, there is a bug in the code that runs this check. A leading space in the checksum will cause opkg to skip the code that checks the integrity of the package and go straight to installation. Thus, a remote man-in-the-middle attacker could intercept the transmission of package lists and replace a package with a malicious one. The malicious package could then bypass the check, giving the attacker control over the device and the network traffic routed through it. Vranken explains how such a package could be created:
The sole constraint to reckon with is that the file size of compromised package must match the Size field in the package list.
Doing this is trivial:
- Create a package that is smaller than the original
- Compute the size difference between the original package and the compromised package
- Append this amount of zero bytes to the end of the compromised package
According to Vranken, this bug appeared all the way back in February of 2017. The vulnerability appears in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-7982, and has a vulnerability score of 8.1 (high). OpenWrt was alerted to the vulnerability and has released updates that contain a fix. Devices running OpenWrt should be updated to the latest version of the operating system or should have their opkg packages updated.
To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are affected. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases.