[OpenWrt-Devel] Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)

Hauke Mehrtens hauke at hauke-m.de
Wed Nov 13 17:34:46 EST 2019

Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)


A logic flaw in LuCI's HTTP routing component led to ineffective CSRF
token testing for various request endpoints, specifically ones using
the `arcombine()` dispatch action.

This allows 3rd party web pages running in the same browser session
as an active LuCI login session to perform unintended operations on
the device without user intervention, such as changing firewall rules
or reconfiguring the network.


In order to exploit this vulnerability, a user needs to be logged into
LuCI while visiting malicious websites in the same browser session, e.g.
within a different tab.


To fix this issue, update the affected LuCI package using the command

   `opkg update; opkg upgrade luci-base`

The fix is contained in the following and later versions:

 - OpenWrt master: git-19.282.28544-f8c6eb6
 - OpenWrt 19.07:  git-19.282.28544-f8c6eb6
 - OpenWrt 18.06:  git-19.282.28671-ee38da9

To workaround the problem, avoid visiting malicious sites while being
logged into LuCI. Changing the default router IP and hostname can also
help to mitigate the issue somewhat as CSRF exploits require predictable
URL targets to work.


To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4
are affected.
The fixed LuCI packages are integrated in the OpenWrt 18.06.5, OpenWrt
19.07.0-rc1 and subsequent releases. Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.


The issue has been reported by Abhinav Mohanty <amohant1 at uncc.edu>,
Parag Mhatre <pmhatre1 at uncc.edu> and Dr. Meera Sridhar
<msridhar at uncc.edu> from the University of North Carolina, Charlotte on
8th October 2019.
The issue has been fixed by Jo-Philipp Wich <jo at mein.io>



openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list