CVE-2024-54143 Overview
CVE-2024-54143 is a critical vulnerability affecting the OpenWrt Attended Sysupgrade (ASU) server, an image-on-demand service for OpenWrt-based distributions. The vulnerability stems from a weak hash algorithm implementation where SHA-256 hashes are truncated to only 12 characters, significantly reducing entropy and making hash collision attacks feasible. This allows attackers to poison the artifact cache and deliver compromised firmware images to unsuspecting users.
Critical Impact
Attackers can exploit the hash truncation weakness to generate collisions, enabling cache poisoning attacks that serve malicious firmware images signed with legitimate build keys to end users.
Affected Products
- OpenWrt ASU (Attended Sysupgrade) Server
- OpenWrt-based distributions using ASU image building services
- OpenWrt Imagebuilder components
Discovery Timeline
- 2024-12-06 - CVE CVE-2024-54143 published to NVD
- 2024-12-06 - Last updated in NVD database
Technical Details for CVE-2024-54143
Vulnerability Analysis
The vulnerability exists in the request hashing mechanism used by the OpenWrt ASU server. The core issue is classified as CWE-328 (Use of Weak Hash), where the implementation truncates SHA-256 hash values to only 12 characters. This drastic reduction in hash length significantly decreases the entropy of the hash output, making it computationally feasible for attackers to generate hash collisions through brute-force techniques.
When an attacker successfully generates a collision, they can substitute a legitimate firmware image request with a malicious one. Since the truncated hashes match, the caching mechanism serves the attacker-controlled malicious image instead of the legitimate build. This vulnerability becomes particularly dangerous when combined with a separate command injection flaw in the Imagebuilder component, allowing attackers to inject arbitrary commands into the build process and produce malicious firmware images that are signed with legitimate build keys.
Root Cause
The root cause is the inappropriate truncation of SHA-256 hashes to 12 characters in the EXTRA_IMAGE_NAME parameter within the build process. A full SHA-256 hash provides 256 bits of entropy, but truncating to 12 hexadecimal characters reduces this to approximately 48 bits, making collision generation practical with modern computing resources.
Attack Vector
The attack exploits the network-accessible ASU service without requiring authentication or user interaction. An attacker can:
- Analyze the hash truncation mechanism to understand collision requirements
- Generate a malicious firmware image with crafted parameters
- Compute hash collisions to match legitimate build requests
- Submit the malicious build to poison the cache
- When legitimate users request firmware builds, the cached malicious image is served instead
The following patch demonstrates how the vulnerability was present in the code:
"image",
f"PROFILE={build_request.profile}",
f"PACKAGES={' '.join(build_cmd_packages)}",
- f"EXTRA_IMAGE_NAME={packages_hash}",
+ f"EXTRA_IMAGE_NAME={packages_hash[:12]}",
f"BIN_DIR=/builder/{request_hash}",
]
Source: GitHub Commit Update
Additionally, the patch introduced input validation patterns to strengthen security:
from typing import Annotated
from pydantic import BaseModel, Field
from asu.config import settings
STRING_PATTERN = r"^[\w.,-]*$"
TARGET_PATTERN = r"^[\w]*/[\w]*$"
class BuildRequest(BaseModel):
distro: Annotated[
Source: GitHub Commit Update
Detection Methods for CVE-2024-54143
Indicators of Compromise
- Unusual patterns of build requests with similar hash prefixes targeting the ASU server
- Multiple firmware images in cache sharing identical 12-character hash values
- Unexpected firmware image signatures or checksums that differ from official builds
- Anomalous build request parameters or injection patterns in build logs
Detection Strategies
- Monitor ASU server logs for repeated requests with hash collision patterns
- Implement integrity verification by comparing firmware hashes against known-good OpenWrt releases
- Analyze network traffic for suspicious bulk requests to the ASU image building service
- Deploy file integrity monitoring on cached firmware images
Monitoring Recommendations
- Enable detailed logging on ASU server instances to capture all build request parameters
- Set up alerts for abnormal cache hit rates that may indicate poisoned cache entries
- Regularly audit firmware images served from ASU against official OpenWrt checksums
- Monitor for command injection patterns in Imagebuilder logs
How to Mitigate CVE-2024-54143
Immediate Actions Required
- Update the OpenWrt ASU server to the patched version containing commit 920c8a1
- Clear existing artifact cache to remove any potentially poisoned firmware images
- Verify integrity of any firmware images recently downloaded from affected ASU instances
- Review build logs for signs of command injection or malicious build requests
Patch Information
The vulnerability has been addressed in commit 920c8a13d97b4d4095f0d939cf0aaae777e0f87e. Organizations running OpenWrt ASU servers should apply this patch immediately. The fix implements proper hash handling and introduces input validation patterns using regex constraints (STRING_PATTERN and TARGET_PATTERN) to prevent injection attacks. For detailed patch information, refer to the GitHub Security Advisory GHSA-r3gq-96h6-3v7q.
Workarounds
- Temporarily disable public access to ASU instances until patching is complete
- Implement additional hash validation at the application layer using full SHA-256 hashes
- Enable strict input validation and sanitization for all build request parameters
- Consider using alternative firmware build methods that don't rely on vulnerable ASU caching
# Example: Pull and apply the security patch
cd /path/to/asu
git fetch origin
git cherry-pick 920c8a13d97b4d4095f0d939cf0aaae777e0f87e
# Restart the ASU service after patching
systemctl restart asu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
