[OpenWrt-Devel] Building OpenWRT static kernels
Jean-Michel Pouré - GOOZE
jmpoure at gooze.eu
Mon Mar 23 13:55:16 EDT 2015
> you would be horrified to look under the covers of most linux based
> a lot of them are running a stock redhat/centos install with very
> customization outside of the userspace app that they run. Gaping
> security holes
> in such appliances are common.
Yes, I agree with you.
For example, DLink DGS-1210 products revision A1 are running a very old
2.6 Linux kernel and it could be very easy to penetrate, especially
because no update is done on the firmware. All source code is available,
so it is a matter of days before you understand how to break in. You
probably only need to look at OpenSSL vulnerability list ...
On the converse, we may discuss attack surface : a static kernel can
have a very low attack surface. When it includes GrSec, it can become
very difficult to penetrate. Hopefully ... DLink appliances are using
With current OpenWRT configuration, the attack would be Luci => Kernel
module. I wonder if specialized companies offer "on the shelf"
penetration tools for OpenWRT, but it would not be surprising.
IMHO, with current penetration tools, not using GrSec or a static kernel
or both is simply too low.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel