It turns out that OpenWrt had a vulnerability that allowed collision attacks to be performed because it only used 12 digits of the SHA-256 hash value
It has been revealed that the update system of the embedded Linux distribution ' OpenWrt ' had a vulnerability that could cause malicious packages to be mistaken for genuine packages. The SHA-256 hash generation was improperly implemented, making it easy for hash collisions to occur.
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/
Attended Sysupgrade Server CVE-2024-54143
http://lists.openwrt.org/pipermail/openwrt-announce/2024-December/000061.html
OpenWrt has a system called ' Attended Sysupgrade ' that allows you to update the firmware by simply clicking a few times on the router settings screen. This Attended Sysupgrade system builds a firmware image on the server side based on the user's device information and the desired version, and sends it to the router. However, it has been found to have a vulnerability that allows arbitrary commands to be executed and a vulnerability that allows malicious files to be mistaken for genuine files through a hash collision attack.
According to security researcher RyotaK , who discovered the problem, Attended Sysupgrade verified packages using only 12 digits of the 64-digit hash value generated by SHA-256. This made it very easy to carry out collision attacks in which malicious files were rewritten to generate the same hash value as genuine packages.
RyotaK attempted a collision attack using a GeForce RTX 4090 and succeeded in colliding hash values within an hour. By combining this collision attack with a command injection attack that he had discovered separately, it was demonstrated that it was possible to 'misidentify a malicious package as a genuine package and incorporate it into a user's router via Attended Sysupgrade'.
RyotaK has already reported the vulnerability to the OpenWrt development team, who applied a fix within three hours of the report and launched the Attended Sysupgrade service. Details of the vulnerability and how it is addressed are summarized at the following link.
[OpenWrt Wiki] Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143)
https://openwrt.org/advisory/2024-12-06
Related Posts:
