{warning}Critical RCE Bug Affects Millions of OpenWrt-based Network Devices

[TheBeardedBaby]

Many of you probably prefer a custom made routers like me, so if you end up having one with OpenWrt on it, then you might be in trouble.
Below is the full article from TheHackerNews.
Keep your coins safe!

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.

Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.

While an 'opkg install' command is invoked on the victim system, the flaw could allow a remote man-in-the-middle attacker in a position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious package or software update without verification.

If exploited successfully, a remote attacker could gain complete control over the targeted OpenWrt network device, and subsequently, over the network traffic it manages.

The three-year-old vulnerability was discovered earlier this year by Guido Vranken from the ForAllSecure software company, who then reported it responsibly to the OpenWrt development team.

In a blog post published today, Vranken explained that when a checksum contains any leading spaces, OPKG on the vulnerable versions of OpenWrt skips checking the integrity of the downloaded package and proceeds to the installation task.

"Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by means of forged .ipk packages with a malicious payload," OpenWrt team said.

The remote exploitation of this vulnerability is possible due to the fact that integrity in Linux based software installation mechanisms rely on digitally signing files while downloading files over the insecure HTTP connection.

Besides this, to exploit the vulnerability, attackers also need to serve a malicious package with the size equals to that specified in the package list on downloads.openwrt.org.

According to the project team, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0, as well as LEDE 17.01.0 to 17.01.7, are affected.

    "As a stopgap solution, OpenWRT removed the space in the SHA256sum from the package list shortly after I reported the bug," Vranken said.


    "However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers."


To fix this issue, affected users are advised to upgrade their device firmware to the latest OpenWrt versions 18.06.7 and 19.07.1, which were released last month.

Source > https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html

[NotATether]

And to add to the above, OpenWRT's site has a list of routers that support OpenWRT at https://openwrt.org/toh/start. Any router that doesn't support firmware version 19.07.1 should be considered unsafe to use for bitcoin-related activities. In particular if you have  a 4MB flash / 32MB RAM router, the new firmware versions are too big to run on these routers without crashing, so these should be replaced as soon as possible.

Firmware version 18.06.7 also has a patch for this vulnerability but the whole 18.x branch is going EOL this month, or possibly in May. I'm sure "Mai" was supposed to be May or March.

Support status

This lists the currently support or not supported OpenWrt versions.
Version    Current status    Projected EOL
19.07    Fully supported    Jan 2021
18.06    Security maintenance    Mai 2020
17.01    End of life    EOL
15.05    End of life    EOL

I have not seen any exploits that use this flaw, but now that it has been publicly announced, exploits appearing for older OpenWRT routers are inevitable but will take several months to develop. But manually monitoring hundreds of hacked routers is a burden for hackers so I think some will target routers of people they know to have large amounts of bitcoin in exchanges, and then somehow present a password-stealing fake login screen like that Cerberus malware. Others will just change the IP and DNS addresses of well known bitcoin websites like bitcoin.org and electrum.org to a fake malware site, since it's difficult to compromise the bitcoin protocol itself and transactions are signed with ECDSA. Yet others could simply snoop on bitcoin traffic on port 8333 and retrieve public keys and hence your wallet address, and also your transaction inputs and outputs. They could use that information to target you with phishing if they see you send coins to an address belonging to an online service.