Hey again, The security researcher published an article describing the details, a good read indeed.
https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/ Best, Paul > On 6. Dec 2024, at 23:42, Christian Marangi (Ansuel) <ansuels...@gmail.com> > wrote: > > Forwarding this also to devel list in case anyone might miss this. > > --- > Hi, > > last Wednesday we got notified of a security issue of the sysupgrade > server ASU[1]. It affected all ASU instances including the the > official instance[2]. > Official ASU instances runs on dedicated servers separate from OpenWrt > Buildbot and doesn't have access to any sensible resource (SSH Keys, > Sign Certs...) > > NO OFFICIAL IMAGES from the downloads.openwrt.org were AFFECTED nor > any custom images from 24.10.0-rc2. > > Available build logs for other custom images were checked and NO > MALICIOUS REQUEST FOUND, however due to automatic cleanups no builds > older than 7 days could be checked. Affected server is reset and > reinizialized from scratch. > Although the possibility of compromised images is near 0, it is > SUGGESTED to the user to make an INPLACE UPGRADE to the same version > to ELIMINATE any possibility of being affected by this. > > If you run a public, self hosted instance of ASU, please update it > immediately. (or apply the following commits [3] [4]) > > Please find all details below, on GitHub[5] or our own security tracker[6]. > > Thanks to RyotaK from Flatt Security Inc. for finding and report this issue! > > Please be safe, > Paul > > [1]: https://github.com/openwrt/asu > [2]: https://sysupgrade.openwrt.org > [3]: > https://github.com/openwrt/asu/commit/deadda8097d49500260b171d2bf8ad2b048da04b > [4]: > https://github.com/openwrt/asu/commit/d4c9e8b555eee52f17698e9cea05dc45112dd31b > [5]: https://github.com/openwrt/asu/security/advisories/GHSA-r3gq-96h6-3v7q > [6]: https://openwrt.org/advisory/2024-12-06 > > --- > > Below is a copy of the CVE detail and Timeline > > # Summary > > Due to the combination of the command injection in the > `openwrt/imagebuilder` image and the truncated SHA-256 hash included > in the build request hash, an attacker can pollute the legitimate > image by providing a package list that causes the hash collision. The > issue consists of two main components: > > 1. **Command Injection in Imagebuilder**: During image builds, > user-supplied package names are incorporated into `make` commands > without proper sanitization. This allows malicious users to inject > arbitrary commands into the build process, resulting in the production > of malicious firmware images signed with the legitimate build key. > > 2. **Truncated SHA-256 Hash Collisions**: The request hashing > mechanism truncates SHA-256 hashes to only 12 characters. This > significantly reduces entropy, making it feasible for an attacker to > generate collisions. By exploiting this, a previously built malicious > image can be served in place of a legitimate one, allowing the > attacker to "poison" the artifact cache and deliver compromised images > to unsuspecting users. > > Combined, these vulnerabilities enable an attacker to serve > compromised firmware images through the ASU service, affecting the > integrity of the delivered builds. > > # Timeline > > * 04.12.2024 2:56 UTC Issue reported by @Ry0taK > * 04.12.2024 ~7:00 UTC Official instance on sysupgrade.openwrt.org > stopped by @aparcar > * 04.12.2024 09:42 UTC Fix committed and deployed on > sysupgrade.openwrt.org by @aparcar > * 04.12.2024 10:38 UTC Investigation if this was actively exploited > based on build logs with negative result for the last seven days > * 04.12.2024 ~11:00 UTC Inform known maintainers of ASU instances to > upgrade immediately and expect further information soon > * 05.12.2024 21:57 UTC Email to all OpenWrt project members asking for > further steps > * 06.12.2024 ~12:00 UTC Release of specific commit showing the issue > > # Impact > > An attacker can compromise the build artifact delivered from the > sysupgrade.openwrt.org, allowing the malicious firmware image to be > installed to the OpenWrt installation that uses the attended firmware > upgrade, firmware-selector.openwrt.org, or CLI upgrade. > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel