#VU26370 Improper Neutralization of Special Elements in Output Used by a Downstream Component in OpenWrt and LEDE - CVE-2020-7982

Cybersecurity Help s.r.o.

Published: 2020-03-25

Vulnerability identifier: #VU26370

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-7982

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenWrt
Operating systems & Components / Operating system
LEDE
Operating systems & Components / Operating system

Vendor: openwrt.org

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the OPKG package manager due to the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index. A remote attacker can perform a man-in-the-middle attack, inject arbitrary package payloads and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenWrt: 18.06.0 - 18.06.6, 19.07.0

LEDE: 17.01.0 - 17.01.7

External links
https://github.com/openwrt/openwrt/commits/master
https://openwrt.org/advisory/2020-01-31-1
https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenWrt/LEDE