juched
Very Senior Member
Seems a remote code execution issue has been found in opkg which many scripts use to extend functionality in Asus-Merlin.
TLDR; signatures are not checked and downloads handled via HTTP so open to attack to download malware.
https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
I did a search and didn’t find a thread here about this. Need to update to OpenWRT versions 18.06.7 and 19.07.1.
I don’t see a fixed version for the busybox alternative yet. Perhaps I am missing it.
TLDR; signatures are not checked and downloads handled via HTTP so open to attack to download malware.
https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
I did a search and didn’t find a thread here about this. Need to update to OpenWRT versions 18.06.7 and 19.07.1.
I don’t see a fixed version for the busybox alternative yet. Perhaps I am missing it.