Remote Code Execution Vulnerability Patched in OpenWrt

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.


A free, Linux-based embedded platform, OpenWrt has been specifically tailored for network routers and is used on millions of devices worldwide. Opkg is a package management system forked from ipkg, and is intended for use on embedded devices.


Tracked as CVE-2020-7982, the addressed issue resides in the package list parse logic of opkg, which did not perform the necessary checks on downloaded .ipk artifacts.


“Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” OpenWrt notes in an advisory.


To exploit the security flaw, however, a malicious actor needs to perform a man-in-the-middle (MiTM) attack on the unencrypted HTTP connection between the targeted device and downloads.openwrt.org, the default website opkg downloads packages from.


The attacker must provide a valid and signed package index to the target. Additionally, they would need to deliver at least one forged .ipk package that features the same size as specified in the repository index, and also invoke an ‘opkg install’ command on the victim system.


“To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. When I ran opkg to install a package, it retrieved the file as I had intended, and then threw a segmentation fault,” ForAllSecure security researcher Guido Vranken, who discovered the bug, expla ..

Support the originator by clicking the read the rest link below.