Millions of routers running OpenWRT vulnerable to attack

A vulnerability (CVE-2020-7982) discovered in the package manager of the OpenWRT open source operating system could allow attackers to compromise the embedded and networking devices running it.

CVE-2020-7982

About OpenWRT

OpenWRT is an open source, Linux-based operating system that can be run of various types of networking devices (home routers, gateways, repeaters, access points, single board computers, etc.) instead of the software/firmware that vendors usually ship with them.

For example, it can be used on popular Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link routers and other devices.

“Instead of trying to create a single, static firmware, OpenWRT provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application,” the OpenWRT Project explains.

“For developers, OpenWRT is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.”

OpenWRT is generally more often updated than regular vendor-provided stock firmware, so it is generally a better option for those that care about security and know how to make the switch.

About the vulnerability (CVE-2020-7982)

CVE-2020-7982 is a bug in the OpenWRT’s OPKG package manager that may allow attackers to bypass the integrity checking of downloaded .ipk packages.

“Due to the fact that opkg on OpenWRT runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload,” the maintainers explained

More information about the flaw can be found in this blog post by researcher Guido Vranken, working for ForAllSecure, who discovered and reported it.

But, in short:

  • The attacker must either intercept and replace communication between the vulnerable device and the download web server or be able to change the device’s DNS settings to make downloads.openwrt.org point to a web server controlled by the attacker, and
  • Make sure that the forged, malicious package is the same size as the legitimate package (as specified in the repository index).

“Attacks on a local network using packet spoofing or ARP cache poisoning might be possible, but this has not been tested,” Vranken added.

This vulnerability has been fixed since OpenWRT versions 18.06.7 and 19.07.1 were released in late January, but another serious security flaw (CVE-2020-8597) has been fixed in subsequent versions released in late February, so users are advised to upgrade to one of the most recent OpenWRT versions.

RSA Conference announces finalists for Innovation Sandbox Contest 2020

RSA Conference announced the 10 finalists for its Innovation Sandbox Contest 2020. The competition calls on the most promising young companies in cybersecurity to showcase their transformative technologies to a panel of judges and live audience at RSA Conference 2020 in San Francisco. Past winners include Imperva, Phantom, and most recently, Axonius.

Innovation Sandbox Contest 2020

Dr. Herbert (Hugh) Thompson

On Monday, February 24, the finalists will present a three-minute pitch followed by a question-and-answer round as they battle on stage for the title of “Most Innovative Startup.” The renowned panel of expert judges includes:

  • Asheem Chandna, Partner, Greylock Partners
  • Scott Darling, President, Dell Technologies Capital
  • Dorit Dor, VP Products, Check Point Software Technologies
  • Patrick Heim, Partner and CISO ClearSky
  • Paul Kocher, Researcher and Entrepreneur.

Dr. Herbert (Hugh) Thompson, Program Committee Chair of RSA Conference, will return to host the contest.

The Innovation Sandbox Contest 2020 finalists (in alphabetical order) are:

AppOmni

AppOmni is a leading software-as-a-service (SaaS) security and management platform providing data access visibility, management, and security of SaaS solutions. AppOmni’s patent-pending technology deeply scans APIs, security controls, and configuration settings to secure mission-critical and sensitive data.

Blu Bracket

BluBracket is an enterprise security solution for code in a software-driven world. BluBracket gives companies visibility into where source code introduces security risk while also enabling them to fully secure their code—without altering developer workflows or productivity.

Elevate Security

Elevate Security solves for the human element. Using data companies already have, Elevate Security scores employee risk based on their security actions, showing actionable trends while delivering personalized communications that nudge employees to better security habits.

ForAllSecure

ForAllSecure aims to secure the world’s software. Using patented technology from CMU research, ForAllSecure delivers a next generation fuzzing solution to Fortune 1000 companies in telecom, aerospace, automotive and more. DARPA named ForAllSecure a Cyber Grand Challenge winner and MIT Tech Review named it one of the 50 Smartest Companies.

INKY Technology

INKY is an industry leader in mail protection powered by unique computer vision, artificial intelligence, and machine learning. The company’s flagship product, INKY Phish Fence, uses these novel techniques to “see” each email much like a human does, to block phishing attacks that get through every other system.

Obsidian Security

Obsidian Cloud Detection and Response delivers frictionless security for SaaS. Using a unique identity graph and machine learning, Obsidian stops the most advanced attacks in the cloud. Unified visibility across applications, users, and data provides threat detection, breach remediation, and security hardening with no production impact.

SECURITI.ai

SECURITI.ai is a leader in AI-powered PrivacyOps. Its PRIVACI.ai solution automates privacy compliance with patent-pending People Data Graphs and robotic automation. It enables enterprises to give rights to people on their data, comply with global privacy regulations and build trust with customers.

Sqreen

Sqreen is the application security platform for the modern enterprise. Organizations of all sizes trust Sqreen to protect, observe and test their software. As opposed to pattern-based approaches, Sqreen analyses in-app execution in real time to deliver more robust security without compromising performance.

Tala Security

Tala safeguards the modern web against client-side risk. Tala’s AI-driven analytics engine continuously interrogates site architecture to work in concert with an advanced automation engine that activates standards-based security to prevent a broad range of client-side attacks like magecart, XSS, session re-directs, and client-side malware.

Vulcan Cyber

Vulcan is a vulnerability remediation and orchestration platform that is modernizing the way enterprises reduce cyber risk. With its remediation-driven approach, Vulcan automates and orchestrates the vulnerability remediation lifecycle, enabling security, operational and business teams to effectively remediate cyber risks at scale.

“The RSAC Innovation Sandbox has catapulted young companies to success for well over a decade. In fact, the top 10 finalists have collectively seen 48 acquisitions and raised $5.2 billion in investments to-date,” said Linda Gray Martin, Senior Director and General Manager, RSA Conference. “But what’s really exciting is how the competition has propelled the entire cybersecurity community forward by encouraging much-needed innovation and collaboration in an industry that faces new changes, threats and challenges every day. This year’s finalists will undoubtedly make for a tough decision for the judges and a must-see event for RSA Conference attendees.”

The contest kicks off at 1:30 PM PT on February 24 at the Moscone Center and winners will be announced at 4:30 PM that same day.