Subj : A vulnerability in the OpenWrt attended sysupgrade server
To   : All
From : LWN.net
Date : Mon Dec 09 2024 15:00:06

A vulnerability in the OpenWrt attended sysupgrade server

Date:
Mon, 09 Dec 2024 14:48:54 +0000

Description:
The OpenWrt project has issued an
advisory regarding a vulnerability found in its Attended Sysupgrade
Server that could allow compromised packages to be installed on a router by
an attacker.  No official OpenWrt images were affected, and the
vulnerability is not known to be exploited, but users who have installed
images created with an instance of this server are recommended to
reinstall. For a detailed description of how the exploit works, see this
blog post . Then, as the hash collision occurred, the server returns the
	overwritten build artifact to the legitimate request that requests
	the following packages. [...] By abusing this, an attacker could 
force the user to upgrade to the
	malicious firmware, which could lead to the compromise of the
	device.

======================================================================
Link to news story:
https://lwn.net/Articles/1001441/


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.