- Description
- openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command injection in Imagebuilder that allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. This has been patched with 920c8a1.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-328
- Hype score
- Not currently trending
Have you heard about the new vulnerability, CVE-2024-54143, affecting #OpenWRT? ⚠️ No need to worry – if you’re using Teltonika networking #IoT devices, you’re safe and sound. If you have any questions, don't hesitate to contact us ➡https://t.co/d9cipXH1pt https://t.co/xO4Ic6
@TeltonikaNET
27 Dec 2024
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical vulnerability (CVE-2024-54143) in OpenWrt's Attended Sysupgrade (ASU) feature could have allowed attackers to distribute malicious firmware packages. Rated 9.3/10 in severity, the flaw, discovered by Flatt Security's RyotaK, was patched in ASU version 920c8a1. https://
@smart_c_intel
20 Dec 2024
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
OpenWrt の深刻な脆弱性 CVE-2024-54143:ファームウェア更新サーバが悪用される恐れ https://t.co/vdCdllCLOm このブログでは初登場の OpenWrt ですが、Mediatek 関連の記事で名前を見たことがありますので、組み込み用の Linux… https://t.co/EfjfUCCmO8
@iototsecnews
17 Dec 2024
184 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
¡Alerta! ⚠️ La vulnerabilidad CVE-2024-54143 en OpenWrt afecta la seguridad de dispositivos en España. Asegúrate de actualizar tu firmware para proteger tus sistemas. Más info aquí 👉 https://t.co/yWGoPjuJID #Ciberseguridad #OpenWrt #Vulnerabilidad
@SotyHub
16 Dec 2024
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2024-49112 2 - CVE-2024-50623 3 - CVE-2024-53677 4 - CVE-2024-42845 5 - CVE-2024-54143 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
16 Dec 2024
32 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Vulnerabilidad crítica de OpenWrt expone los dispositivos a una inyección de firmware malintencionada CVE-2024-54143 Gravedad CVSS de 9,3 sobre un máximo de 10 https://t.co/KzbSZpRyaT https://t.co/umveKCLAyq
@elhackernet
14 Dec 2024
5082 Impressions
39 Retweets
101 Likes
12 Bookmarks
0 Replies
0 Quotes
CVE-2024-54143 : Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection https://t.co/05tSyneUuP
@freedomhack101
14 Dec 2024
31 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Une vulnérabilité critique d'OpenWrt expose les appareils à une injection de firmware malveillant. CVE-2024-54143 : grave danger avec un score CVSS de 9.3. Alertes de sécurité à ne pas manquer pour les Analystes Sécurité. #Cybersécurité #Vulnérabilité 👉 https://t.co/DtIrZLRoHQ
@CyberAlertFr
14 Dec 2024
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical OpenWrt Vulnerability (CVE-2024-54143) 🚨 A flaw in the ASU feature (CVSS 9.3) allows malicious firmware injection via hash collisions. No authentication needed! 🔒 Update to ASU version 920c8a1 now! Details: https://t.co/okrW5E6SLC #CyberSecurity #OpenWrt
@soap2you
13 Dec 2024
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ Critical OpenWrt #vulnerability (CVE-2024-54143) discovered — With just a 12-character hash collision, attackers can replace legitimate firmware with a malicious alternative, all without authentication. Discover the technical details: https://t.co/Ttj16DmjVS #cybersecurity
@TheHackersNews
13 Dec 2024
9547 Impressions
31 Retweets
63 Likes
12 Bookmarks
0 Replies
1 Quote
4/8 🔧 How to fix #OpenWrt CVE-2024-54143? Update your ASU instances and verify build integrity. Only use official images from https://t.co/C7szsGNpzI for safety. #PatchNow #SecurityPatch
@Eth1calHackrZ
13 Dec 2024
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨CVE-2024-54143: Critical Vulnerability in OpenWrt’s Attended SysUpgrade Server Allows for Firmware Poisoning 📊 1.7m+ Services are found on https://t.co/ysWb28BTvF yearly. 🔗Hunter Link: https://t.co/tRxcsKerHB 👇Query HUNTER:/product.name="OpenWrt(X-Wrt) Router" SHODAN:
@HunterMapping
11 Dec 2024
2824 Impressions
17 Retweets
50 Likes
12 Bookmarks
0 Replies
0 Quotes
OpenWrt orders router firmware updates after supply chain attack scare: https://t.co/hZW8iYDy9k OpenWrt has urged users to upgrade their firmware following a reported supply chain attack risk. A command injection vulnerability in the attended sysupgrade server (CVE-2024-54143)…
@securityRSS
10 Dec 2024
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OpenWrt项目团队于12月6日发布安全公告,披露了其固件升级存在严重安全漏洞(CVE-2024-54143)。该漏洞由日本Flatt Security公司安全研究员RyotaK发现并报告。… https://t.co/wCVYTWdQVJ
@Nuwaempress
10 Dec 2024
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2024-54143: Critical Vulnerability in OpenWrt’s Attended SysUpgrade Server Allows for Firmware Poisoning 🎯484k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/DGTyN46gtr FOFA Query:app="OpenWrt" 🔖 Refer:… https://t.co/S5M94gr
@fofabot
10 Dec 2024
1025 Impressions
9 Retweets
17 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨CVE-2024-54143 (CVSS: 9.3) : Openwrt/Asu Allows Build Artifact Poisoning Via Truncated SHA-256 Hash and Command Injection ⚠️This vulnerability could allow attackers to compromise the integrity of firmware updates delivered through its Attended SysUpgrade server. ZoomEye… htt
@zoomeye_team
10 Dec 2024
437 Impressions
2 Retweets
2 Likes
3 Bookmarks
0 Replies
0 Quotes
OpenWrt固件升级服务器发现严重安全漏洞,官方已紧急修复,建议大家迅速升级 OpenWrt项目团队于12月6日发布安全公告,披露了其固件升级存在严重安全漏洞(CVE-2024-54143)。该漏洞由日本Flatt Security公司安全研究员RyotaK发现并报告。… https://t.co/of7DvBrm0C
@srtg000bot
10 Dec 2024
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
shelling out in python via magical fairy dust "containers" isn't a great look - CVE-2024-54143 https://t.co/KwZJwwoZFq
@nanovms
9 Dec 2024
242 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143) https://t.co/2j4QRkchUO
@musashino_205
7 Dec 2024
231 Impressions
2 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2024-54143 OpenWrt Image Cache Poisoning Exploit via Hash Collision The openwrt/asu is an on-demand server for OpenWrt distributions. Its request hashing cuts SHA-256 hashes to 12 characters. This lowers secu... https://t.co/haRlMzagHV
@VulmonFeeds
6 Dec 2024
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-54143 openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significa… https://t.co/oMDU7MEbea
@CVEnew
6 Dec 2024
274 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-54143: CRITICAL] Warning: Cybersecurity vulnerability in OpenWrt! Exploiting truncated SHA-256 hashes could allow attackers to serve compromised images to users. Patch available with 920c8a1.#cybersecurity,#vulnerability https://t.co/EUnPPr7keZ https://t.co/oOtmmLiwq5
@CveFindCom
6 Dec 2024
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes