LuCI CSRF vulnerability

DESCRIPTION

A logic flaw in LuCI‘s HTTP routing component led to ineffective CSRF token testing for various request endpoints, specifically ones using the ’‘arcombine()’’ dispatch action.

This allows 3rd party web pages running in the same browser session as an active LuCI login session to perform unintended operations on the device without user intervention, such as changing firewall rules or reconfiguring the network.

REQUIREMENTS

In order to exploit this vulnerability, a user needs to be logged into LuCI while visiting malicious websites in the same browser session, e.g. within a different tab.

MITIGATIONS

To fix this issue, update the affected LuCI package using the command below.

 opkg update; opkg upgrade luci-base

The fix is contained in the following and later versions:

OpenWrt master: git-19.282.28544-f8c6eb6
OpenWrt 19.07: git-19.282.28544-f8c6eb6
OpenWrt 18.06: git-19.282.28671-ee38da9

To workaround the problem, avoid visiting malicious sites while being logged into LuCI. Changing the default router IP and hostname can also help to mitigate the issue somewhat as CSRF exploits require predictable URL targets to work.

AFFECTED VERSIONS

To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4 are affected.

The fixed LuCI packages are integrated in the OpenWrt 18.06.5, OpenWrt 19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

CREDITS

The issue has been reported by Abhinav Mohanty <amohant1 at uncc.edu>, Parag Mhatre <pmhatre1 at uncc.edu> and Dr. Meera Sridhar <msridhar at uncc.edu> from the University of North Carolina, Charlotte on 8th October 2019.

The issue has been fixed by Jo-Philipp Wich <jo at mein.io>