“Critical” opkg CVE and Turris

You might have heard on some news sites about “critical” vulnerability in OpenWrt. You might be worried about how it affects is your Turris. That is the reason for quotes around the word critical. TLDR not applicable against Turris

Background

How does it work? Whenever you want to install package in OpenWrt, you first need to have an up-to-date copy of the list of available packages. That list contains a name, size and checksum of every file in the repository. You search locally for the package you want to install and then during the installation, the package is downloaded, size and checksums are checked, and if they match, installation proceeds.

Where are the security checks in there? The package index you are downloading is signed by a release key and verified every time you download it. Then in that package index you have checksums and size for every package and this way you are able to verify packages you are downloading. Even when downloaded over plain http. Which is what OpenWrt does on some devices as https requires including SSL library which can be too much for memory constrained device.

Where is the problem? The mentioned CVE affects checksum verification, so if the router downloads a package over http and there is a man in the middle attack, this bug can lead to not verifying a checksum and allowing the attacker to trick the victim into installing different package with backdoor, given he is able to create malicious package with the same name and size as the package you aretrying to install.

Turris

Why does itnot affect Turris routers? First of all, for the majority of package management on our routers we use an updater. The updater uses the same file formats and same package index, but is implemented from scratch so it doesn’t contain the mentioned error.

But even if you decide to use plain old opkg on Turris routers, there is onemore countermeasure that we have in production for a long time. We download both the package index and the packages themselves over https. So a simple man in the middle wouldn’t work – you would have to get a valid and signed certificate for https://repo.turris.cz first.

So although it poses quite a risk for trimmed down versions of OpenWrt, for Turris OS with it’s default configuration there is no way to exploit it.

 

Author:

Leave a comment

All fields are required. Email won't be shown.