A new vulnerability was detected in the package manager of the OpenWRT open-source operating system. Identified as CVE-2020-7982, the vulnerability could allow threat actors to comprise embedded and networking devices running on the OS.
What does the official CVE-2020-7982 MITRE description say?
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification), MITRE says
More about OpenWRT
Shortly said, OpenWRT is an open source, Linux-based operating system suitable for various types of networking devices, varying from home routers and access points, to board computers. The OS can be deployed instead of the firmware or software that vendors ship with these devices.
According to OpenWRT’s own description, “instead of trying to create a single, static firmware, OpenWRT provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application.”
The vulnerability is located in the OpenWRT’s OPKG package manager. It could allow threat actors to circumvent the integrity checking of downloaded .ipk packages.
In order to exploit this vulnerability, a hacker willhave to pose as MITM, serving a valid and signed package index, such as one obtained from downloads.openwrt.org – and one or more forged .ipk packages having the same size as specified in the repository index while an `opkg install` command is invoked on the victim system, as per OpenWRT’s description of the issue.
In addition, the threat actor must either intercept and replace communication between the vulnerable device and the download web server or be able to change the device’s DNS settings to make downloads.openwrt.org point to a web server controlled by the attacker.
The good news is that the CVE-2020-7982 vulnerability has already been fixed. OpenWRT versions 18.06.7 and 19.07.1 were released in late January, and they have the bug fixed. “To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are affected. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases,” the team said.
However, another serious vulnerability, CVE-2020-8597 has been fixed in subsequent versions that were released in late February. To avoid any compromise, users are advised to upgrade to one of the most recent OpenWRT versions.