CVE-2019-5102

Name of the Vulnerable Software and Affected Versions OpenWrt versions 15.05.1 through 18.06.4

Description The issue is related to errors in the certificate authentication procedure of the Ustream-SSL library in OpenWrt. This can be exploited by a remote attacker to perform a man-in-the-middle attack. When connecting to a remote server, the server's SSL certificate is checked, but no action is taken if the certificate is invalid. An attacker could exploit this behavior by providing any certificate, potentially leading to the theft of data sent by the client during the first request.

Recommendations For versions 15.05.1 and 18.06.4, consider disabling the Ustream-SSL library until a patch is available to prevent man-in-the-middle attacks. Restrict access to remote servers using the vulnerable Ustream-SSL library to minimize the risk of exploitation. Avoid using the vulnerable library for sensitive data transmission until the issue is resolved.