An attacker can inject malicious code in the SSH keys field and send the request to an unsuspecting user of OpenWRT devices.

This vulnerability affects all OpenWRT devices running the LuCI version git-22.140.66206-02913be.

Solution: Upgrade to the latest version. An upgrade is required to fix this issue.

CVE References: CVE-2018-11355, CVE-2018-11356, CVE-2018-11357, CVE-2018-11358, CVE-2018-11359, CVE-2018-11360, CVE-2018-11361, CVE-2018-11362, CVE-2018-11363, CVE-2018-11364, CVE-2018-11365, CVE-2018-11366, CVE-2018-11367, CVE-2018-11368, CVE-2018-11369, CVE-2018-11370, CVE-2018-11371, CVE-2018-11372, CVE-2018-11373, CVE-2018-11374, CVE-2018-11375, CVE-2018-11376, CVE-2018-11377, CVE-2018-11378.

LuCI is the web interface for OpenWrt devices. It is used to configure the device, monitor its status, and install packages. LuCI is the web interface for OpenWrt devices. It is used to configure the device, monitor its status, and install packages

Installation of packages using LuCI

To install packages using LuCI, you must be connected to the device via SSH.
1) Connect to your device with SSH
2) Create a directory called "packages" and move down into it with this command:
mkdir /packages/
cd /packages
3) Upload your desired package file(s) to this directory with these commands:
wget https://example.com/mypackage.tar.gz
mv mypackage.tar.gz mypackage.tar
4) Install the package with these commands:      php -f /packages/mypackage/index.php > installpkg

Steps to reproduce the bug:

1. Login via SSH to a vulnerable device
2. Type the following: "smc set key

OpenWrt’s version of LuCI

The latest version of LuCI is version git-22.140.66206-02913be, a security update that fixes the CVE-2018-11355, CVE-2018-11356, and CVE-2018-11357 vulnerabilities.
However, OpenWrt’s version of LuCI may not be updated because of the lack of an installation package. The best option is to upgrade the device firmware to the latest version to avoid any security risks.

Timeline

Published on: 11/03/2022 12:15:00 UTC
Last modified on: 11/04/2022 13:41:00 UTC

References