NVD Published Date: 03/03/2025
NVD Last Modified: 03/06/2025

Preface: The OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it.

Background: Qualcomm’s FastConnect™ 7900 is embedded in the Snapdragon 8 Gen 3. This connectivity system is AI-optimized and integrates Wi-Fi 7, Bluetooth, and Ultra Wideband (UWB) technologies, providing unparalleled performance across mobile, compute, and XR experiences. The Snapdragon 8 Gen 3 firmware integrates cutting-edge technologies such as generative AI, enhanced camera capabilities, console-defying mobile gaming, and studio-quality lossless audio.

Remark: The Snapdragon 8 Gen 3 platform includes embedded firmware.

Vulnerability details:  The Qualcomm UCI command can encounter wraparound in scenarios where an integer overflow occurs during calculations. This happens when the logic assumes that the resulting value will always be larger than the original value, leading to a transient denial of service (DOS) condition.

Ref: Due to the combination of the command injection in the openwrt/imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:

1. Command Injection in Imagebuilder: During image builds, user-supplied package names are incorporated into make commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.
2. Truncated SHA-256 Hash Collisions: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to “poison” the artifact cache and deliver compromised images to unsuspecting users.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-53025