Impact
A vulnerability was found in ecdsautils which allows forgery of ECDSA signatures. An adversary exploiting this vulnerability can create an update manifest accepted by the autoupdater, which can be used to distribute malicious firmware updates by spoofing a Gluon node's connection to the update server.
All Gluon versions with autoupdater are affected. Requiring multiple signatures does not mitigate the issue.
Patches
Signature verification has been fixed in Gluon 2021.1.2. In addition, release branches for some older Gluon versions have been updated regardless of EOL status.
Workarounds
To mitigate the issue on individual nodes, disable the autoupdater until a patched firmware is available via config mode or using
uci set autoupdater.settings.enabled=0
uci commit autoupdater
A fixed firmware should be installed manually before enabling the autoupdater again.
References
Further information can be found in the ecdsautils advisory. CVE-2022-24884 has been assigned to this vulnerability.
Impact
A vulnerability was found in ecdsautils which allows forgery of ECDSA signatures. An adversary exploiting this vulnerability can create an update manifest accepted by the autoupdater, which can be used to distribute malicious firmware updates by spoofing a Gluon node's connection to the update server.
All Gluon versions with autoupdater are affected. Requiring multiple signatures does not mitigate the issue.
Patches
Signature verification has been fixed in Gluon 2021.1.2. In addition, release branches for some older Gluon versions have been updated regardless of EOL status.
Workarounds
To mitigate the issue on individual nodes, disable the autoupdater until a patched firmware is available via config mode or using
A fixed firmware should be installed manually before enabling the autoupdater again.
References
Further information can be found in the ecdsautils advisory. CVE-2022-24884 has been assigned to this vulnerability.