CVE-2023-1844: 
WordPress vulnerability analysis and mitigation

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. The vulnerability was discovered by Claudio Bozzato and Francesco Benvenuto of Cisco Talos and was disclosed to the vendor on October 25, 2023, with a public release on December 5, 2023 (Talos Report).

The vulnerability exists in Buildroot's package hash checking functionality. When building a package, Buildroot executes the corresponding Makefile and downloads source code from the internet. The system is designed to verify the integrity of packages using hash files, but some packages were found to be missing these verification files. The vulnerability has a CVSSv3 score of 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-494 (Download of Code Without Integrity Check) (Talos Report).

A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. Because packages can ship patch files or Makefiles, an attacker could execute arbitrary commands in the builder by supplying a compromised source package. This could allow tampering with any file generated for Buildroot's targets and hosts (Talos Report).

The issues have been fixed in Buildroot versions 2023.02.8, 2023.08.4, and 2023.11. The fixes include changing aufs/aufs-utils to fetch from https, modifying the fallback download location on source.buildroot.net to use https://, and adding hash files for affected packages. Additionally, support for providing hashes for custom files in the BR2GLOBALPATCHDIR location was added, along with a BR2DOWNLOADFORCECHECK_HASHES option to enforce hash checking (OSS Security).