Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in OpenWrt's DHCPv6 client that could allow for the injection of malicious code into administrative interfaces when lease data is displayed. The primary risk involves the potential for unauthorized actions or data exposure if an administrator views the affected lease information. The main concern is confirming relevance and exposure.
- Malicious code can be injected into lease data.
- Affects administrative access to DHCP lease information.
- Confirm relevance and exposure for affected systems.
Attack Path
How an attacker could exploit the issue
An attacker could inject malicious data into the DHCPv6 lease information, which is then displayed on the OpenWrt device's admin interface. This injection occurs because the system writes the DHCPv6 client hostname without proper escaping. When an administrator views the "Active DHCPv6 Leases" page, the injected data can be rendered as live HTML, potentially leading to a compromise of the admin session.
- No authentication required for injection.
- Displayed on admin lease page.
- Compromise admin session.
Live Threat
Current exploitation, exposure, and threat context
The vulnerability could allow an attacker to inject malicious content into the Active DHCPv6 Leases administrative page displayed by LuCI. This occurs when a DHCPv6 client's Fully Qualified Domain Name (FQDN) option is written to lease files without proper escaping, leading to newline injection. When this data is rendered as live HTML by the LuCI interface, it could expose sensitive information or allow for unauthorized actions within the administrative context.
- System lease data at risk.
- Forged lease data can inject script.
- Admin page could be compromised.
Operational Fix
Recommended remediation, mitigation, and detection steps
For OpenWrt devices running affected versions of odhcpd and LuCI, ownership likely falls to the embedded systems or infrastructure team managing these devices, with potential coordination needed from network or security teams if exposed externally. The first critical step is to inventory all OpenWrt devices, confirm if the LuCI web interface is accessible, and identify the business criticality of each device before planning remediation.
- Identify device owners and exposure.
- Verify LuCI administrative access.
- Plan remediation based on risk.