Millions of routers running OpenWRT vulnerable to attack
A vulnerability (CVE-2020-7982) discovered in the package manager of the OpenWRT open source operating system could allow attackers to compromise the embedded and networking devices running it.
About OpenWRT
OpenWRT is an open source, Linux-based operating system that can be run of various types of networking devices (home routers, gateways, repeaters, access points, single board computers, etc.) instead of the software/firmware that vendors usually ship with them.
For example, it can be used on popular Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link routers and other devices.
“Instead of trying to create a single, static firmware, OpenWRT provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application,” the OpenWRT Project explains.
“For developers, OpenWRT is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.”
OpenWRT is generally more often updated than regular vendor-provided stock firmware, so it is generally a better option for those that care about security and know how to make the switch.
About the vulnerability (CVE-2020-7982)
CVE-2020-7982 is a bug in the OpenWRT’s OPKG package manager that may allow attackers to bypass the integrity checking of downloaded .ipk packages.
“Due to the fact that opkg on OpenWRT runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” the maintainers explained
More information about the flaw can be found in this blog post by researcher Guido Vranken, working for ForAllSecure, who discovered and reported it.
But, in short:
- The attacker must either intercept and replace communication between the vulnerable device and the download web server or be able to change the device’s DNS settings to make downloads.openwrt.org point to a web server controlled by the attacker, and
- Make sure that the forged, malicious package is the same size as the legitimate package (as specified in the repository index).
“Attacks on a local network using packet spoofing or ARP cache poisoning might be possible, but this has not been tested,” Vranken added.
This vulnerability has been fixed since OpenWRT versions 18.06.7 and 19.07.1 were released in late January, but another serious security flaw (CVE-2020-8597) has been fixed in subsequent versions released in late February, so users are advised to upgrade to one of the most recent OpenWRT versions.