| Category | Details |
|---|---|
| Threat Actors | Not applicable (vulnerability exploitation by any malicious actors possible). |
| Campaign Overview | Exploitation of vulnerabilities in OpenWrt’s Attended SysUpgrade (ASU) server, enabling attackers to compromise firmware integrity by injecting malicious commands and exploiting hash collisions. |
| Target Regions (Or Victims) | OpenWrt users worldwide, including individuals and organizations relying on custom firmware for routers and network devices. |
| Methodology | - Command injection during firmware build process. - Exploiting SHA-256 hash collision due to truncated hashes. - Leveraging malicious package names to execute arbitrary commands in the build environment. |
| Product Targeted | OpenWrt operating system, specifically the Attended SysUpgrade (ASU) server. |
| Malware Reference | Malicious firmware images created during exploitation (no specific malware named). |
| Tools Used | NVIDIA RTX 4090 GPU, Hashcat (for brute-forcing hash collisions). |
| Vulnerabilities Exploited | - Command injection flaw in ImageBuilder service. - Truncated SHA-256 hashes causing hash collisions (CVE-2024-54143, CVSS 9.3). |
| TTPs | - Exploiting insufficient input sanitization. - Using shortened hashes to replace legitimate firmware. - Creating firmware that appears signed and legitimate to avoid detection. |
| Attribution | General exploitation possible; no specific threat actor attributed. |
| Recommendations | - Update OpenWrt devices with the latest patches immediately. - Avoid reliance on shortened hashes. - Implement strict input sanitization for critical processes. - Monitor systems for signs of malicious firmware. |
| Source | SOCRadar |
Read full article: https://socradar.io/openwrts-attended-sysupgrade-vulnerability/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply