What's new

OpenWRT remote code execution Mayhem CVE-2020-7982

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

juched

Very Senior Member
Seems a remote code execution issue has been found in opkg which many scripts use to extend functionality in Asus-Merlin.

TLDR; signatures are not checked and downloads handled via HTTP so open to attack to download malware.

https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982

I did a search and didn’t find a thread here about this. Need to update to OpenWRT versions 18.06.7 and 19.07.1.

I don’t see a fixed version for the busybox alternative yet. Perhaps I am missing it.
 
There seems to be some confusion around these issues. Initial public reports were talking about OpenWRT firmware updates, not opkg.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top