Vulnerability Management, Patch/Configuration Management

Critical OpenWrt bug enabling malicious firmware image installation addressed

December 10, 2024

Adobe Stock

Open-source Linux-based operating system OpenWrt has issued a fix for a critical vulnerability impacting its sysupgrade server, tracked as CVE-2024-54143, which could be leveraged to facilitate malicious firmware image injections, reports SecurityWeek.

Such a flaw, which could be exploited without authentication, stems from a command injection issue in Imagebuilder that enables arbitrary command injections in the build process and truncated SHA-256 hash collisions that allow reduced entropy that ultimately results in artifact cache compromise, according to OpenWrt. "Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds. Attackers can compromise the build artifacts delivered via sysupgrade.openwrt.org, potentially leading to malicious firmware being installed during the attended firmware upgrade process," said OpenWrt, which called for the immediate application of the released patches to avert the threat of low-risk attacks resulting in compromised images.

SC Staff

Cyber attack zero-day exploit vulnerability in text binary system ascii art style, zero day code on editor screen.

Vulnerability Management

Intrusions leveraging widespread Cleo zero-day underway

SC StaffDecember 11, 2024

Attackers using U.S., Canadian, Moldovan, Lithuanian, and Dutch IP addresses targeted vulnerable Cleo LexiCom, Harmony, and VLTrader instances to facilitate the writing of new files into the targeted endpoints' autorun directory, triggering the deployment of XML configuration-containing ZIP files.