[OpenWrt-Devel] OpenWRT www version banner a security risk

MauritsVB mauritsvb at xs4all.nl
Sun Sep 13 10:21:02 EDT 2015

At the moment the OpenWRT www login screen provides *very* detailed version information before anyone has even entered a password. It displays not just “15.05” or “Chaos Calmer” but even the exact git version on the banner.

While it’s not advised to open this login screen to the world, fact is that it does happen intentionally or accidentally. Just a Google search for “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login screens, including exact version information.

As soon as someone discovers a vulnerability in a OpenWRT version all an attacker needs to do is perform a Google search to find many installations with versions that are vulnerable (even if a patch is already available).

In the interest of hardening the default OpenWRT install, can I suggest that by default OpenWRT doesn’t disclose the version (not even 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would even suggest to leave “OpenWRT” off the login screen, the only people who should use this screen already know it’s running OpenWRT.

Any thoughts?

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list