OpenWrt vulnerability in opkg [CVE-2020–7982]

viktor · March 25, 2020, 2:02pm

n8v8r · March 25, 2020, 11:08am

Been fixed already https://openwrt.org/advisory/2020-01-31-1

viktor · March 25, 2020, 11:13am

But not every device have Turris OS 3.11.14 or newer. Are there any statistics?

HomerSp · March 25, 2020, 1:42pm

I don’t see how this is relevant when it was fixed in Turris OS almost 2 months ago.

viktor · March 25, 2020, 2:50pm

Basic information about the vulnerability and its public detailed description with remote exploit example is the difference.

viktor · March 25, 2020, 9:29pm

For example:

Pepe · March 26, 2020, 9:45am

What would like to tell us with the thread? What should be done there, when the router was not connected for a long time? The router is and will be able to update itself to the latest version automatically, if approvals are not used.

viktor · March 26, 2020, 10:47am

It has happened repeatedly in recent years that routers with different configuration and location did not automatically update. It is my long-term experience. If there is an exploit, it is obvious to ask if you have an overview of the updates.

DIKKEHENK · March 26, 2020, 12:34pm

sorry, but this is getting boring viktor. It is a simple waste of bandwith. Untill now, almost all known security patches are being implemented, and very quick. Being critical just to be critical is something else, this looks like trolling. Please keep the forum clean and relevant?

txs, DIKKE

viktor · March 26, 2020, 12:39pm

This post is not critic and information about available exploit is not trolling. Anybody who has not updated their router should do so. Anybody who does not know if have router updated should check it. Finally, I ask if there are statistics about used TOS versions.

DIKKEHENK · March 26, 2020, 12:58pm

This is non info. if you search the CVE, first hit is the TOS version that has the patch. If you do not update, fine, your problem. These developers are not the update police. If you do not update, fine, have it your way.
Please stop this useless filling of the forum here.

This topic can be closed.

viktor · March 26, 2020, 1:03pm

If you don’t find this information useful, you don’t need to respond to it.

Pepe · March 27, 2020, 2:35pm

On our blog, we have published an article about this security vulnerability in opkg.

https://en.blog.nic.cz/2020/03/27/critical-opkg-cve-and-turris/

viktor · March 27, 2020, 2:36pm

Thank you @pepe. I appreciate it.

mh182 · March 29, 2020, 7:56am

Just wanted to mention, that I was glad about the post. I read about the vulnerability on a technical news paper and asked myself if my Mox T is vulnerable.
Apart from the fact that I would not know where to look for the info, I forgot the issue and never checked if my router was save.
5 days later I get the digest of the forum, with this post - voila, no search, 1 minute read, and I feel save again.

my feedback - even if sometimes a post seems trivial (or an implicite offence) to one audience, it is valuable info for another audience.

thx for the info, and thx for the fast security fix

vcunat · March 29, 2020, 4:01pm

Another way was to enter “CVE-2020-7982” into the forum search box, which would directly show you the (pre-)release announcements from a few weeks ago (Certainly not all CVEs have their own topics here, and that’s a good thing.)

viktor · March 29, 2020, 6:49pm

Because everything what I wrote is bad.