OpenWrt, one of the most popular alternate firmware options for routers, has released a firmware update in light of the recent supply chain attack that took place last week. OpenWrt specified in an email that users should update their firmware to the latest version of the image so that they can stay safe from an attack in the future.
It must be noted that OpenWrt has not been affected by the threat. The email clarified that images hosted on the official site haven’t been modified. It also mentioned that custom images from version 24.10.0.rc2 were also untouched by the attack. On the other hand, the available firmware attack is a preemptive strike so that users can stay away from any potential attack using the exploit.
The entire fiasco started last Wednesday, following a report from a researcher at Flatt Security, a Japanese security firm. The researcher, who goes by the name Ry0taK, informed OpenWrt about a security issue that affected the sysupgrade server (ASU) of the platform. The attack used command injection and could have allowed the threat actor to modify the legitimate image through hash collision.
If left unnoticed, the attack could have created multiple polluted images with a legitimate build key. This means that one of these images could be executed at the user level, bypassing basic authentication methods. It could also have led to a scenario where a threat actor could deliver problematic installer images to users who may have downloaded the images from an untrusted source.
According to OpenWrt, the attack also made use of another vulnerability called weak hash, which is tracked as CVE-2024-54143. Considering that the attack targeted the ASU infrastructure, the possibilities of threats could have been endless, especially considering that many users make use of ASU regularly. For reference, ASU allows OpenWrt users to upgrade their router firmware without affecting router settings and packages.
The developers also added that people using a self-hosted instance of ASU must immediately update it so as to avoid potential threats. If a user does not want to do the complete firmware update, they can alternatively go for two specific commits, which are detailed in the advisory that OpenWrt has released. So, while there is no immediate danger, people who rely on OpenWrt must install the firmware update.
In related news, OpenWrt recently launched OpenWrt One, a hardware platform that tech-savvy users can use to get the best out of their hardware infrastructure. The company launched a much-awaited box, which consists of a dual-core processor, Wi-Fi 6 chip, and two Ethernet ports. The device, which OpenWrt created in collaboration with the SFC, claims to be unbrickable, making it a more confident option for many.
Considering that the new router claims to offer a more repair-friendly experience, it could be a challenge to many mainstream manufacturers.
