ASU OpenWrt Server Flaws: Image Swap, Code Execution

In the OpenWRT project, a critical vulnerability has been identified in the ASU (Attended System Upgrade) service, allowing attackers to compromise assembly artifacts distributed through the Sysupgrade.openwrt.org service or third-party ASU servers. This vulnerability, identified as CVE-2024-54143, could lead to the installation of firmware images modified by attackers. Users who utilize the “Attended Upgrade” mode for updating are at risk, whether through the Web interface Selector.openwrt.org or the command-line tool Attend.SysuPgrade.

An attacker can carry out a successful attack by sending a request for assembly forming to the ASU server without authentication. By manipulating a specially designed list of packages, the attacker can send harmful images in response to legitimate assembly requests from other users.

The ASU service in OpenWRT is used for forming and installing firmware updates without losing user settings. Users can request updated flavor images through the Web interface or command-line tools, specifying the installed packages in their system. The ASU server then generates an image based on the user’s request, which can be loaded onto the device while preserving existing settings in the updated firmware.

The ASU Server automatically processes user requests for assembling flavor images using ImageBuilder tools and maintains a cache of previously prepared assemblies. If a user requests an image that has been previously assembled and is still relevant, the system provides the existing image from the cache without redoing the assembly process.

The attack was made possible by two vulnerabilities. One vulnerability lies in the Build_request.py requests from ImageBuilder tools, allowing attackers to manipulate commands in the assembly process by sending specially designed packages. The lack of special tests in the package names before using them creates a loophole for attackers to craft firmware images on the server, signed with the correct assembly key.

/Reports, release notes, official announcements.