Millions of routers running OpenWRT vulnerable to attack

2020-04-01 12:20

A vulnerability discovered in the package manager of the OpenWRT open source operating system could allow attackers to compromise the embedded and networking devices running it.

About OpenWRT. OpenWRT is an open source, Linux-based operating system that can be run of various types of networking devices instead of the software/firmware that vendors usually ship with them.

"Instead of trying to create a single, static firmware, OpenWRT provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application," the OpenWRT Project explains.

"Due to the fact that opkg on OpenWRT runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged.ipk packages with malicious payload," the maintainers explained.

This vulnerability has been fixed since OpenWRT versions 18.06.7 and 19.07.1 were released in late January, but another serious security flaw has been fixed in subsequent versions released in late February, so users are advised to upgrade to one of the most recent OpenWRT versions.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Db9HwDRKHMk/

#attack #openwrt #router

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Openwrt		4	1	36	9	1	47