Security advisories on OpenWrt

Dropbear privilege escalation via Unix domain socket forwarding

Tue, 16 Dec 2025 00:00:00 +0000

DESCRIPTION

A privilege escalation vulnerability has been discovered in the Dropbear SSH server affecting configurations where multiple local users are allowed to authenticate via SSH.

When processing TCP or Unix domain socket forwardings requested by an authenticated SSH client, Dropbear executes the forwarding operations as root, only switching to the logged-in user’s UID/GID after establishing the session shell. With the recently added support for Unix domain socket forwarding, this behavior allows any authenticated non-root SSH user to connect to arbitrary local root-owned Unix sockets as if they were the root user.

ltq-ptm: local privilege escalation

Wed, 22 Oct 2025 00:00:00 +0000

DESCRIPTION

Local users could read and write arbitrary kernel memory using the ioctls of the ltq-ptm driver which is used to drive the datapath of the DSL line.

REQUIREMENTS

This only effects the lantiq target supporting xrx200, danube and amazon SoCs from Lantiq/Intel/MaxLinear with the DSL in PTM mode. The DSL driver for the VRX518 is not affected. ATM mode is also not affected. Most VDSL lines use PTM mode and most ADSL lines use ATM mode.

ubusd: heap buffer overflow

Wed, 22 Oct 2025 00:00:00 +0000

DESCRIPTION

ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon.

The affected code is executed before running the ACL checks, all ubus clients are able to send such messages.

In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.

OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection

Fri, 06 Dec 2024 00:00:00 +0000

DESCRIPTION

Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:

1. Command Injection in Imagebuilder: During image builds, user-supplied package names are incorporated into make commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.

Multiple issues in mac80211 and cfg80211

Mon, 17 Oct 2022 00:00:00 +0000

DESCRIPTION

Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version.

These vulnerabilities are in the multi BSSID (MBSSID) beacon parsing code and the P2P-device beacon parsing code.

CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)
CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE)
CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE)
CVE-2022-42721: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption (DOS)
CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)

REQUIREMENTS

The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt operating as Wifi AP or Wifi client is affected when it scans for Wifi networks. A malicious attacker could exploit this by sending specially crafted packets while the target is scanning for Wifi networks. A malicious attacker has to be physically close to the target to exploit these vulnerabilities. This can be exploited by attackers which are not necessary part of the network, no authentication needed. Wifi drivers in OpenWrt will parse beacons from arbitrary Wifi devices nearby.

wolfSSL buffer overflow during a TLS 1.3 handshake

Tue, 04 Oct 2022 00:00:00 +0000

DESCRIPTION

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow on server during a TLS 1.3 handshake.

This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message.

luci-app-ddns: Multiple authenticated RCEs

Sun, 01 Aug 2021 00:00:00 +0000

DESCRIPTION

An authenticated user in LuCI is able to inject shell code in luci-app-ddns. Multiple variables in the luci-app-ddns applications where not validated before they were executed on the system’s shell, which could be exploited by adding system shell commands.

REQUIREMENTS

To exploit this vulnerability the attackers needs access to LuCI and the extra application luci-app-ddns has to be installed. The attacker is then able to inject code which is executed on the shell of the system.

Stored XSS in hostname UCI variable

Sun, 01 Aug 2021 00:00:00 +0000

DESCRIPTION

Multiple OpenWrt LuCI templates, including the one shipped by default, integrated the content of the UCI hostname variable without stripping it from malicious JavaScript. This allowed an attacker, which can control the content of the UCI hostname variable, to inject a arbitrary JavaScript into LuCI.

The following LuCI packages were affected:

luci-theme-bootstrap
luci-theme-material
luci-theme-openwrt

REQUIREMENTS

The attacker needs permission to change the UCI hostname variable. Normally only the root user is allowed to do this. In a normal OpenWrt installation such a user would already be allowed to do arbitrary changes to LuCI including changing the LuCI templates.

XSS via missing input validation of host names displayed

Sun, 01 Aug 2021 00:00:00 +0000

DESCRIPTION

Missing input validation of host names displayed in OpenWrt LuCI web-interface leads to Cross-site scripting, which can be used to gain full control over the affected system.

REQUIREMENTS

Users need to visit the LuCI “Connection status” page of the router and activate the host name resolution. The attackers need to hold a connection to the OpenWrt router which is displayed in the Web-interface, ie. via sending ICMP ping messages.

netifd and odhcp6c routing loop on IPv6 point to point links

Tue, 02 Feb 2021 00:00:00 +0000

DESCRIPTION

In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a “ping pong” effect.

wolfSSL heap buffer overflow in RsaPad_PSS

Tue, 02 Feb 2021 00:00:00 +0000

DESCRIPTION

RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. The issue is marked as critical with CVSS score of 9.8.

REQUIREMENTS

FIXME

It’s still work in progress, there is not that much information about it available yet, but according to the very high CVSS score of 9.8 (10 is most severe) it’s likely, that this issue has RCE potential.

dnsmasq multiple vulnerabilities

Tue, 19 Jan 2021 00:00:00 +0000

DESCRIPTION

Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.

These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.

JSOF reported multiple buffer overflow vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.

OpenWrt forum break-in on 16-Jan-2021

Sun, 17 Jan 2021 00:00:00 +0000

DESCRIPTION

Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum (https://forum.openwrt.org) was breached. It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled.

The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys.

libuci import heap use after free

Wed, 09 Dec 2020 00:00:00 +0000

DESCRIPTION

Possibly exploitable vulnerability was found in Unified Config Interface (UCI) library named libuci, specifically in uci_import() C API function.

CVE-2020-28951 has been assigned to this issue.

REQUIREMENTS

In order to exploit this vulnerability a malicious attacker would need to provide specially crafted config file to uci_import() C API function. For example, this is possible with UCI CLI by following shell command:

 uci import -f malicious.config

MITIGATIONS

To fix this issue, update the affected libuci package using the command below.

Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack

Wed, 09 Dec 2020 00:00:00 +0000

DESCRIPTION

A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel.

This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections.

This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver.

relayd out-of-bounds reads of heap data and possible buffer overflow

Wed, 06 May 2020 00:00:00 +0000

DESCRIPTION

relayd in OpenWrt through 19.07.2 and 18.06.8 has potential for out-of-bounds reads of heap data and possible buffer overflow.

relayd is a transparent routing / relay daemon for OpenWrt. It can be used to relay traffic between two networks, including DHCP and broadcast, when other options don’t work or are too complex to implement.

We have not been made aware of any exploits at this time, however users are advised to update the relayd package to 2020-04-25-f4d759be-1 or later.

umdns out-of-bounds reads of heap data and possible buffer overflow

Wed, 06 May 2020 00:00:00 +0000

DESCRIPTION

umdns in OpenWrt through 18.06.8 and 19.07.2 has potential for out-of-bounds reads of heap data and possible buffer overflow.

umdns is the OpenWrt Multicast DNS Daemon.

We have not been made aware of any exploits at this time, however users are advised to update the umdns package to 2020-04-25-cdac0460-1 or later.

CVE-2020-11750 has been assigned to this issue.

REQUIREMENTS

The umdns package is not part of the default package set: official OpenWrt images provided for download do not contain umdns. However, third-party firmware images based on OpenWrt may contain umdns by default.

ppp buffer overflow vulnerability

Fri, 21 Feb 2020 00:00:00 +0000

DESCRIPTION

A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon (pppd), which has a significant potential impact due to the possibility of remote code execution prior to authentication.

OpenWrt by default enables the _FORTIFY_SOURCE=1 compiler macro which introduces additional checks to detect buffer-overflows in the standard library functions, thus protecting the memcpy() abused in this overflow, preventing the actual buffer overflow and hence possible remote code execution by instead terminating the pppd daemon. Due to those defaults the impact of the issue was changed to a denial of service vulnerability, which is now also addressed by this fix.

libubox tagged binary data JSON serialization vulnerability

Fri, 31 Jan 2020 00:00:00 +0000

DESCRIPTION

Possibly exploitable vulnerability exists in the libubox library of OpenWrt, specifically in the parts related to JSON conversion of tagged binary data, so called blobs. An attacker could possibly exploit this behavior by providing specially crafted binary blob or JSON which would then be translated into blob internally.

This malicious blobmsg input would contain blob attribute holding large enough numeric value of type double which then processed by blobmsg_format_json would overflow the buffer array designated for JSON output allocated on the stack.

Opkg susceptible to MITM

Fri, 31 Jan 2020 00:00:00 +0000

DESCRIPTION

A bug in the package list parse logic of OpenWrt’s opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts.

The bug has been introduced with commit https://git.openwrt.org/54cc7e3 which failed to advance the proper string pointer when skipping the leading white- space portition of the checksum string, causing the subsequent hex decoding loop to return early with a zero length checksum.

uhttpd invalid data access via HTTP POST request

Mon, 13 Jan 2020 00:00:00 +0000

DESCRIPTION

An invalid data access can be triggered with an HTTP POST request to a CGI script specifying both Transfer-Encoding: chunked and a large Content-Length which exceeds 2^31 and is interpreted as a signed negative number.

The negative content length is assigned to r->content_length in client_parse_header and passed as a negative read length to ustream_consume in client_poll_post_data which will set the internal ustream buffer pointer to an invalid address, causing out of bounds memory reads later on in the code flow.

LuCI CSRF vulnerability

Tue, 05 Nov 2019 00:00:00 +0000

DESCRIPTION

A logic flaw in LuCI‘s HTTP routing component led to ineffective CSRF token testing for various request endpoints, specifically ones using the ’‘arcombine()’’ dispatch action.

This allows 3rd party web pages running in the same browser session as an active LuCI login session to perform unintended operations on the device without user intervention, such as changing firewall rules or reconfiguring the network.

REQUIREMENTS

In order to exploit this vulnerability, a user needs to be logged into LuCI while visiting malicious websites in the same browser session, e.g. within a different tab.

LuCI stored XSS

Tue, 05 Nov 2019 00:00:00 +0000

DESCRIPTION

A vulnerability has been reported in LuCI which allows injection of script code through maliciously crafted wireless network SSIDs.

When joining a wireless network by clicking Network -> Wireless -> Join, the subsequent configuration view interprets the SSID of the network to join without proper escaping, allowing to execute arbitrary JavaScript in the client‘s web browser through network names which contains payload, for example ’‘AP</h2><svg onclick=alert(0);>’’

Additionally the network interface overview displays configured wireless network SSID without proper escaping.

ustream-ssl information disclosure

Tue, 05 Nov 2019 00:00:00 +0000

DESCRIPTION

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt. When connecting to a remote server, the server’s SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.

REQUIREMENTS

In order to exploit this vulnerability, a malicious actor needs to perform a man-in-the-middle attack, presenting a requesting ustream-ssl client with any invalid certificate. The ustream-ssl client will eventually tear down the SSL connection due to that, but only after flushing pending data, e.g. the HTTP request payload in case of an HTTPS client application.