Got this via E-Mail, read it but didn't understand: https://openwrt.org/advisory/2024-12-06
Can someone explain to me and tell me if and what I have to do on my openwrt router?
Thanks in advance and kind regards
My reading of this suggests that there's very little danger. A vulnerability was discovered in the build system that provides images to end-user routers going through the attended system upgrade process. That vulnerability, had it been exploited, would have enabled an attacker to cause the creation of a compromised system image which would have been delivered to routers being upgraded. The issue was fixed as soon as it was reported, and there is no sign that anyone had exploited it in the last seven days. It's possible it was exploited at some point in the past, but presumably no evidence of this, and no-one is advising you to do anything, just letting you know about it.
Please correct me if I've misunderstood anything.
4 Likes
Unless you did an ASU upgrade (LuCI ASU app, auc, owut, Firmware Selector) for your most recent upgrade, then nothing.
If you did, then there's a 1 ppm (or less) chance that the build may have possibly been compromised (there's no evidence that anyone exploited the vulnerability).
If you did do an ASU upgrade, just do another upgrade right now. (I looked at the reports and am not going to do anything, I feel the probability of compromise is just too miniscule to bother, but that's my choice, you need to make your own.)
4 Likes
Thank you.
I did an upgrade via auc command a few days ago.
Now I can't do it again because sysupgrade.openwrt.org seems to be down.
I will try again later.
How could I tell if my build has been compromised if it were?
In short, you can't.
The security problem was about the ASU build process, not about an identified insertion of some code to the image itself. So, there is nothing exact to check in your image.
But like efahl said, the real changes of actual compromise are really minimal.
If I understand correctly, it would have required the hacker to have prepared a malicious image that is changed to contain malicious code, but still works for your router model and still matches the original hash calculated from your exact router model + your exact package selection. Pretty hard for the hacker. (And, of the billions of possibilities, why would just your selection be the poisoned one, the attack target?)
Like the devs say in the security advisory:
Although the possibility of compromised images is near 0, it is
SUGGESTED to the user to make an INPLACE UPGRADE ...
1 Like
sysupgrade.openwrt.org seems to be working again.
Is it enough to use auc command again or auc -f ?
Yup, just do auc -f to save seeing a "nothing to do..." message.
1 Like
Thank you all.
I've done the attended sysupgrade. There have been a dozen packages to upgrade.
CVE-2024-54143 was disclosed recently and it revealed some vulnerabilities in the attended sysupgrade service. See also:
https://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000062.html
Is there any confirmation about if the vulnerability has been actively exploited? Thank you.
Also also also.... Maybe start with primary sources?
https://openwrt.org/docs/guide-developer/security
2 Likes
Thank you, I was searching using the CVE number and didn't see the posts.
1 Like
sysupgrade.openwrt.org is still NOT working.
See this post on the mailing list. So yes, it's true, but it has been fixed already. All builds from the last 7 days were checked and no build was infected. This was also explained on the mailing list here.
5 Likes
thank you!
I would like to clarify if we only manually downloaded from https://firmware-selector.openwrt.org/ then no need to reflash?
The version number for my firmware has not changed.
1 Like
You know nothing, JonSnow. (Sorry, I had to).
I believe that direct downloads are not an issue, but certainly not a problem if you didn’t customize the image.
3 Likes
and if i customized the images using the firmware selector?
1 Like