CVE-2020-7982
📋 TL;DR
This vulnerability in OpenWrt/LEDE's opkg package manager allows man-in-the-middle attackers to inject malicious packages that install without verification. It affects OpenWrt 18.06.0-18.06.6 and 19.07.0, and LEDE 17.01.0-17.01.7. Attackers can achieve remote code execution on vulnerable routers and embedded devices.
💻 Affected Systems
- OpenWrt
- LEDE
📦 What is this software?
Lede by Openwrt
Openwrt by Openwrt
Openwrt by Openwrt
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary package installation leading to persistent backdoor, data theft, and device takeover
Likely Case
Malicious package installation resulting in remote code execution, network compromise, and lateral movement
If Mitigated
No impact if using patched versions or isolated networks with certificate pinning
🎯 Exploit Status
Exploitation requires MITM position but no authentication; public proof-of-concept demonstrates package injection
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: opkg after 2020-01-25; OpenWrt 18.06.7+, 19.07.1+
Vendor Advisory: https://openwrt.org/advisory/2020-01-31-1
Restart Required: No
Instructions:
1. Update opkg package: 'opkg update && opkg upgrade opkg' 2. Update entire system: 'opkg update && opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade' 3. For firmware: Flash to OpenWrt 18.06.7+ or 19.07.1+
🔧 Temporary Workarounds
Use HTTPS repositories only
linuxConfigure opkg to use only HTTPS repositories to prevent MITM attacks
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf
opkg update
Disable package updates
linuxTemporarily disable package manager updates until patching
rm /etc/opkg/distfeeds.conf
echo 'src/gz openwrt_core file:///dev/null' > /etc/opkg/distfeeds.conf
🧯 If You Can't Patch
- Isolate vulnerable devices from untrusted networks and internet
- Implement network segmentation and monitor for suspicious package installation attempts
🔍 How to Verify
Check if Vulnerable:
Check opkg version: 'opkg --version | head -1' - versions before 2020-01-25 are vulnerableCheck Version:
opkg --version | head -1Verify Fix Applied:
Verify opkg version is after 2020-01-25: 'opkg --version | grep -q 2020 && echo "Patched" || echo "Vulnerable"'📡 Detection & Monitoring
Log Indicators:
- Unexpected package installations in /var/log/opkg.log
- Package signatures failing verification
Network Indicators:
- MITM activity between device and package repositories
- Unencrypted package downloads
SIEM Query:
source="/var/log/opkg.log" AND "install" AND NOT expected_package_name🔗 References
- https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/
- https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
- https://github.com/openwrt/openwrt/commits/master
- https://openwrt.org/advisory/2020-01-31-1
- https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/
- https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
- https://github.com/openwrt/openwrt/commits/master
- https://openwrt.org/advisory/2020-01-31-1
