Security News > 2024 > August > OpenWrt dominates, but vulnerabilities persist in OT/IoT router firmware
The study uncovered that OT and IoT cellular routers and those used in small offices and homes contain outdated software components associated with known vulnerabilities.
The research showed that widely used OT/IoT router firmware images have, on average, 20 exploitable n-day vulnerabilities affecting the kernel, leading to increasing security risks.
"Our recent Sierra:21 research found tens of thousands of devices with outdated firmware are exposed online, easily accessible to hackers. Following the publication of Sierra:21, we wanted to understand the state of software components in OT/IoT network devices from other vendors, and what threat actors might uncover if they looked more closely at this software supply chain. Instead of finding new vulnerabilities, our goal was to look at what is already known, but still present in the latest firmware releases of routers."
The analysis identified an average of 662 components and 2,154 findings, including known vulnerabilities, weak security posture, and potential new vulnerabilities in each firmware image.
Even the most recent firmware images do not use the latest versions of open-source components, including critical elements such as the kernel and OpenSSL. Known vulnerabilities abound.
On average, firmware images had 161 known vulnerabilities in their most common components: 68 with a low or medium CVSS score, 69 with a high score, and 24 with a critical score.
News URL
https://www.helpnetsecurity.com/2024/08/07/ot-iot-router-firmware-vulnerabilities/
Related news
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- OpenWrt Sysupgrade flaw let hackers push malicious firmware images (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)