CVE-2020-7982: Opkg susceptible to MITM vulnerability in OpenWrt/LEDE

OpenWrt has revealed that a security vulnerability (CVE-2020-7982) has been fixed. Hackers can use this vulnerability to remotely trigger and gain router management rights.

Of course, the vulnerability is now disclosed, this has been successfully repaired, so users only need to download and upgrade the latest version of the firmware to successfully fix the vulnerability.

Vulnerability Detail

A bug in the package list parse logic of OpenWrt’s opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts.

Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload.

According to the official announcement of the project team, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as
LEDE 17.01.0 to 17.01.7 are affected.

At the same time, LEDE firmware versions 17.01.0-17.01.7 based on OpenWrt firmware are also affected, so users who use LEDE firmware also need to update.

In addition, older and unsupported versions such as OpenWrt 15.05 and LEDE 17.01 are affected by the vulnerability and cannot be repaired.