CVE-2020-7982

Name of the Vulnerable Software and Affected Versions OpenWrt versions 18.06.0 through 18.06.6 OpenWrt version 19.07.0 LEDE versions 17.01.0 through 17.01.7

Description A bug in the fork of the opkg package manager prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads, which are installed without verification. This issue is related to a problem with the code that checks the SHA-256 checksums present in the signed digital signature index of packages, allowing an attacker to create conditions under which these checksums are ignored, thus bypassing the integrity checking mechanisms of the downloaded ipk resources.

Recommendations For OpenWrt versions 18.06.0 through 18.06.6, update to version 18.06.7. For OpenWrt version 19.07.0, update to version 19.07.1. For LEDE versions 17.01.0 through 17.01.7, no specific fix is provided, consider updating to a newer version of OpenWrt. As a temporary workaround, consider disabling the use of the opkg package manager until a patch is available. Restrict access to the package repository to minimize the risk of exploitation.