Information Leak in OpenWrt’s ustream-ssl Library Affects Multiple Versions
CVE-2019-5102

4MEDIUM

Key Information:

Vendor: Openwrt
Status: Openwrt
Vendor: CVE Published:; 18 November 2019

What is CVE-2019-5102?

The ustream-ssl library within OpenWrt versions 18.06.4 and 15.05.1 has a significant information leak vulnerability. When a client connects to a remote server, the SSL certificate validation process is initiated, but improper handling of invalid certificates leaves the system vulnerable. An attacker can exploit this flaw through a man-in-the-middle attack, introducing a rogue SSL certificate that tricks the victim into sending sensitive data unencrypted, compromising the confidentiality of the transmitted information during the initial request.

Affected Version(s)

OpenWRT OpenWrt 15.05.1, via wget (busybox)

OpenWRT OpenWrt 18.06.4, via wget (uclient-fetch)

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2019
Vulnerability Reserved
Jan 4, 2019

Credit

Discovered by Claudio Bozzato of Cisco Talos.

JSON

Openwrt

What is CVE-2019-5102?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit