Corrective releases of the OpenWrt distribution have been published ΠΈ , in which (CVE-2020-7982) in the package manager , which allows you to carry out a MITM attack and replace the contents of the package downloaded from the repository. Due to an error in the checksum verification code, an attacker can create conditions under which the SHA-256 checksums present in the digitally signed package index will be ignored, which makes it possible to bypass the mechanisms for checking the integrity of downloaded ipk resources.
The problem has been manifesting since February 2017, after code to ignore leading spaces before the checksum. Due to a bug when missing spaces, the pointer to the position in the string did not move, and the SHA-256 hexadecimal sequence decoding loop immediately returned control and returned a zero-length checksum.
Since the opkg package manager in OpenWrt is launched with root rights, in the event of a MITM attack, an attacker can quietly make changes to the ipk package downloaded from the repository while the user is executing the βopkg installβ command and organize the execution of his code with root rights by adding your own handler scripts to the package, called during installation. To exploit the vulnerability, the attacker must also organize the substitution of a correct and signed package index (for example, given from downloads.openwrt.org). The size of the modified package must match the original size defined in the index.
In a situation where it is necessary to do without updating the entire firmware, you can only update the opkg package manager by running the following commands:
cd / tmp
opkg update
opkg download opkg
zcat ./opkg-lists/openwrt_base | grep -A10 "Package: opkg" | grep SHA256sum
sha256sum ./opkg_2020-01-25-c09fe209-1_*.ipk
Next, you should compare the shown checksums and if they match, execute:
opkg install ./opkg_2020-01-25-c09fe209-1_*.ipk
The new versions also eliminated one more in library , which can lead to a buffer overflow when processed in a function specially formatted serialized binary or JSON data. The library is used in distribution components such as netifd, procd, ubus, rpcd and uhttpd, as well as in the package (Attended sysUpgrade CLI). A buffer overflow occurs when large numeric attributes with the "double" type are passed in blobs. You can check the vulnerability of the system by running the command:
$ubus call luci getFeatures \
'{ "banik": 00192200197600198000198100200400.1922 }'
In addition to fixing vulnerabilities and fixing accumulated errors, the release of OpenWrt 19.07.1 also updated the version of the Linux kernel (from 4.14.162 to 4.14.167), resolved performance issues when using 5GHz frequencies, improved support for Ubiquiti Rocket M Titanium, Netgear WN2500RP v1,
Zyxel NSA325, Netgear WNR3500 V2, Archer C6 v2, Ubiquiti EdgeRouter-X, Archer C20 v4, Archer C50 v4 Archer MR200, TL-WA801ND v5, HiWiFi HC5962, Xiaomi Mi Router 3 Pro and Netgear R6350.
Source: opennet.ru