CVE-2024-54143

Name of the Vulnerable Software and Affected Versions: OpenWrt versions prior to 920c8a1

Description: The issue is related to the Attended SysUpgrade feature of OpenWrt, which allows for the injection of malicious firmware. This is due to a combination of command injection in the ImageBuilder service and the use of truncated SHA-256 hashes, making it feasible for an attacker to generate collisions and serve compromised images to users. The vulnerability could be exploited to distribute malicious firmware packages, potentially affecting over 1.7 million services.

Recommendations: Update to ASU version 920c8a1 to protect against the vulnerability. Verify the integrity of builds and only use official images from the OpenWrt website for safety. As a temporary workaround, consider restricting access to the vulnerable openwrt/asu server until a patch is applied.