CVE-2020-28951 – CVE-2020-28951 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-28951?

CVE-2020-28951 has a CVSS score of 9.8 (CRITICAL). CVE-2020-28951 is a use-after-free vulnerability in libuci (Unified Configuration Interface) used by OpenWrt. Attackers can exploit this by providing malicious package names to potentially execute arbitrary code or cause denial of service. This affects OpenWrt devices running vulnerable versions of libuci.

📋 TL;DR

CVE-2020-28951 is a use-after-free vulnerability in libuci (Unified Configuration Interface) used by OpenWrt. Attackers can exploit this by providing malicious package names to potentially execute arbitrary code or cause denial of service. This affects OpenWrt devices running vulnerable versions of libuci.

💻 Affected Systems

Products:

OpenWrt
Devices using OpenWrt firmware

Versions: OpenWrt versions before 18.06.9 and 19.x before 19.07.5

Operating Systems: OpenWrt/Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using libuci with the vulnerable code paths is affected when processing package names.

📦 What is this software?

Openwrt by Openwrt

View all CVEs affecting Openwrt →

Openwrt by Openwrt

View all CVEs affecting Openwrt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to install malware, pivot to other systems, or create persistent backdoors.

🟠

Likely Case

Denial of service causing system crashes or instability, potentially requiring device reboot or reconfiguration.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent malicious package uploads.

🌐 Internet-Facing: HIGH - OpenWrt devices are often deployed as routers/gateways with internet exposure, making them prime targets.

🏢 Internal Only: MEDIUM - Internal devices could still be exploited via internal attacks or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious package names to trigger the use-after-free condition. The vulnerability is in core configuration parsing code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenWrt 18.06.9 and 19.07.5

Vendor Advisory: https://openwrt.org/advisory/2020-12-01-1

Restart Required: Yes

Instructions:

1. Update OpenWrt to version 18.06.9 or 19.07.5 or later. 2. Use 'opkg update && opkg upgrade' command. 3. Reboot the device after upgrade completes.

🔧 Temporary Workarounds

Restrict package management access

linux

Limit who can upload or modify packages on the OpenWrt device

Configure firewall rules to restrict access to package management services
Use strong authentication for administrative interfaces

🧯 If You Can't Patch

Network segmentation: Isolate OpenWrt devices from untrusted networks
Monitor for suspicious package uploads or configuration changes

🔍 How to Verify

Check if Vulnerable:

Check OpenWrt version with 'cat /etc/openwrt_release' or 'opkg list-installed | grep uci'

Check Version:

cat /etc/openwrt_release | grep VERSION

Verify Fix Applied:

Verify version is 18.06.9 or 19.07.5 or later, and check that libuci package is updated

📡 Detection & Monitoring

Log Indicators:

Unexpected package installation attempts
System crashes or segmentation faults in uci processes
Failed authentication attempts to package management interfaces

Network Indicators:

Unusual network traffic to/from OpenWrt management interfaces
Suspicious package uploads via HTTP/HTTPS

SIEM Query:

source="openwrt" AND (event="package_install" OR event="uci_error" OR process="uci")

📊 Metadata

CVE ID: CVE-2020-28951

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: November 19, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28951, you might also want to check these: