[OpenWrt-Devel] Security Advisory 2019-11-05-3 - ustream-ssl information disclosure (CVE-2019-5101, CVE-2019-5102)

Hauke Mehrtens hauke at hauke-m.de
Wed Nov 13 17:33:49 EST 2019

Security Advisory 2019-11-05-3 - ustream-ssl information disclosure
(CVE-2019-5101, CVE-2019-5102)


An exploitable information leak vulnerability exists in the ustream-ssl
library of OpenWrt. When connecting to a remote server, the server's
SSL certificate is checked but no action is taken when the certificate
is invalid. An attacker could exploit this behavior by performing a
man-in-the-middle attack, providing any certificate, leading to the
theft of all the data sent by the client during the first request.


In order to exploit this vulnerability, a malicious actor needs to
perform a man-in-the-middle attack, presenting a requesting ustream-ssl
client with any invalid certificate. The ustream-ssl client will
eventually tear down the SSL connection due to that, but only after
flushing pending data, e.g. the HTTP request payload in case of an
HTTPS client application.


To fix this issue, update the affected ustream-ssl packages using
the command below.

   `opkg update; opkg upgrade libustream-mbedtls libustream-openssl`

The fix is contained in the following and later versions:

 - OpenWrt master: 2019-11-05-c9b66682-1
 - OpenWrt 19.07:  2019-08-17-e8f9c22d-2
 - OpenWrt 18.06:  2018-07-30-23a3f283-2


To our knowledge, OpenWrt versions 18.06.0 to 18.06.4 are affected.
The fixed packages are integrated in the OpenWrt 18.06.5, OpenWrt
19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.


The issue has been reported by the Claudio Bozzato of Cisco Talos on
11th September 2019.
The issue has been fixed by Jo-Philipp Wich <jo at mein.io>



openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list