Recent OpenWrt Security Advisories

First, before you panic, please read the advisories.

They do not mean that your router has been compromised, or even is about to be compromised.

Second, do not "bulk update" all your packages!

Bulk updating can create more problems than it resolves. Flashing a new, complete image is often the safest course of action.

Third, these obscure security issues were resolved quickly


Upgrade if not on 18.06.5 or 19.07-RC1 to a current version/snapshot

[OpenWrt-Devel] Security Advisory 2019-11-05-1 - LuCI stored XSS

To workaround the problem, avoid joining networks with HTML code in the

[OpenWrt-Devel] Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)

To workaround the problem, avoid visiting malicious sites while being
logged into LuCI. Changing the default router IP and hostname can also
help to mitigate the issue somewhat as CSRF exploits require predictable
URL targets to work.

[OpenWrt-Devel] Security Advisory 2019-11-05-3 - ustream-ssl information disclosure (CVE-2019-5101, CVE-2019-5102)

In order to exploit this vulnerability, a malicious actor needs to
perform a man-in-the-middle attack, presenting a requesting ustream-ssl
client with any invalid certificate. The ustream-ssl client will
eventually tear down the SSL connection due to that, but only after
flushing pending data, e.g. the HTTP request payload in case of an
HTTPS client application.

(Upgrade if not on 18.06.5 or 19.07 to a current version/snapshot)


BTW there is complete and up to date list of security advisories on the wiki at advisory and on security pages.

OpenWrt doesn't send updates of the security advisories via email, but the security advisory might be updated on the wiki, so it's recommended to check wiki for the latest and greatest content.

1 Like