A vulnerability in the OpenWrt attended sysupgrade server

[Posted December 9, 2024 by corbet]

The OpenWrt project has issued an advisory regarding a vulnerability found in its Attended Sysupgrade Server that could allow compromised packages to be installed on a router by an attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installed images created with an instance of this server are recommended to reinstall.

For a detailed description of how the exploit works, see this blog post.

Then, as the hash collision occurred, the server returns the overwritten build artifact to the legitimate request that requests the following packages. [...]
By abusing this, an attacker could force the user to upgrade to the malicious firmware, which could lead to the compromise of the device.

Truncated hash collision ?

Posted Dec 10, 2024 22:13 UTC (Tue) by Lennie (subscriber, #49641) [Link]

Don't see that every day (I think I might have seen it in 'the olden days').

Probably because people think it might be a bad idea, possibly because they don't even want to spend time thinking how much less secure it will make them.