Exploiting the flaw
A security researcher named Guido Vranken from ForAllSecure discovered this flaw, which was existing in OpenWrt devices for 3 years! It’s seen that OpenWrt installation files and updates were sent over unencrypted and insecure HTTP connections. Though passing over the insecure tunnel, these files were digitally signed to make them look legitimate. Yet, there’s a flaw. Before applying them, OpenWrt verifies these files’ integrity against an SHA-256 hash, where the two files should have a matched checksum. If not, they should be discarded. Here, Vranken discovered that the SHA-256sum field is not read correctly due to a simple programming error. This turned out to be a bug whenever there’s an installation of these OpenWrt files. This gives a chance to the attacker for the creation of a similar file, that matches the required size, thus fooling the process and replacing it with a malicious file. This I being sent to users’ routers which gives the attacker a chance to dump payload via RCE attacks. This bug was identified as CVE-2020-7982 in early 2017 and is affecting versions 18.06.0 through 18.06.6 and 19.07.0 OpenWrt.
Updating rectifies all
Updating to the latest security versions is the only remedy. OpenWRT has responded to Guido Vranken’s reports and immediately removed the space in the SHA256sum from the package list. This change can be enabled by updating OpenWrt to versions 18.06.7 or 19.07.1. Source: ForAllSecure