CVE-2019-5101

Name of the Vulnerable Software and Affected Versions OpenWrt versions 15.05.1 and 18.06.4

Description An information leak vulnerability exists in the ustream-ssl library of OpenWrt. When connecting to a remote server, the server's SSL certificate is checked, but no action is taken when the certificate is invalid. This behavior can be exploited by an attacker performing a man-in-the-middle attack, providing any certificate, which could lead to the theft of all the data sent by the client during the first request. The vulnerability is related to errors in the SSL certificate authentication procedure.

Recommendations For OpenWrt version 15.05.1, update to a version that includes a fix for the ustream-ssl library issue. For OpenWrt version 18.06.4, update to a version that includes a fix for the ustream-ssl library issue. As a temporary workaround, consider disabling the use of the ustream-ssl library until a patch is available. Restrict access to sensitive data and minimize the use of affected OpenWrt versions to reduce the risk of exploitation.