MediaTek vulnerability

Are we patched up?

1 Like

Mediatek SDK not installed.....
https://corp.mediatek.com/product-security-bulletin/March-2024

4 Likes

I do not see how this would be related to OpenWrt at all, despite the blog mentioning "OpenWrt 19.07, 21.02". Keep in mind that Mediatek's SDK is materially different from OpenWrt, proprietary wireless drivers, custom configuration backends/ dæmons, etc. The primary source of this vulnerability, wappd, does not exist in OpenWrt at all (never did), nor any of the IAPP_ procedures the exploits are hooking into, nor are you ever going to encounter an ra0 interface on OpenWrt.

That aside, in 19.07 there pretty much was zero mt7622 support in OpenWrt to begin with (apart from basic support for the reference board), 21.02 didn't have much of that either (bpi-r64, wrc-2533, unifi-6-lr - the unifi being the most popular of that bunch). WAX206 support was only merged in mid 2022 and the earlier/ more popular e8450/ rt3200 also after 21.02.x, so even if there were some overlap, there'd be something amiss with the history here.

tl;dr: the mentioned bugs appear to be exclusively inside the proprietary parts of Mediatek's SDK, nothing of which is used or even present in OpenWrt. The blog could be more explicit about this distinction.

7 Likes

The first link contains fake reference to OpenWRT while mitre/nvd clearly says mediatek is sw vendor.

1 Like

Affected software: SDK version 7.4.0.1 and before (for MT7915) / SDK version 7.6.7.0 and before (for MT7916, MT7981 and MT7986)

mtk wifi proprietary drivers