5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.1%
DESCRIPTION
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt. When connecting to a remote server, the server’s SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.
*[SSL]: Secure Socket Layer
REQUIREMENTS
In order to exploit this vulnerability, a malicious actor needs to perform a man-in-the-middle attack, presenting a requesting ustream-ssl client with any invalid certificate. The ustream-ssl client will eventually tear down the SSL connection due to that, but only after flushing pending data, e.g. the HTTP request payload in case of an HTTPS client application.
*[SSL]: Secure Socket Layer
*[HTTP]: Hypertext Transfer Protocol
*[HTTPS]: Hypertext Transfer Protocol Secure
MITIGATIONS
To fix this issue, update the affected ustream-ssl packages using the command below.
opkg update; opkg upgrade libustream-mbedtls libustream-openssl
The fix is contained in the following and later versions:
OpenWrt master: 2019-11-05-c9b66682-1
OpenWrt 19.07: 2019-08-17-e8f9c22d-2
OpenWrt 18.06: 2018-07-30-23a3f283-2
AFFECTED VERSIONS
To our knowledge, OpenWrt versions 18.06.0 to 18.06.4 are affected. The fixed packages are integrated in the OpenWrt 18.06.5, OpenWrt 19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
The issue has been reported by the Claudio Bozzato of Cisco Talos on 11th September 2019. (<http://talosintelligence.com/vulnerability-reports/>)
The issue has been fixed by Jo-Philipp Wich <jo at mein.io>
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.1%