[OpenWrt-Devel] OpenWRT www version banner a security risk

Etienne Champetier champetier.etienne at gmail.com
Sun Sep 13 11:00:58 EDT 2015


Le 13 sept. 2015 16:34, "Daniel Dickinson" <openwrt at daniel.thecshore.com> a
écrit :
> Actually two far more useful solutions:
> 1) By default only answer requests from 'lan' network in
/etc/config/uhttp instead of
> 2) Some useful alert if what appears to be a firewally misconfiguration
is created (default OpenWrt firewall block LuCI on WAN, therefore the
current issue is that by default uhttpd listens on all addresses, not just
lan AND user has broken their firewall and allowed HTTP access to the
router on the WAN in the *firewall* config.
> Of the two 2) is harder and takes more work.
> Regards,
> Daniel
> On 2015-09-13 10:28 AM, Daniel Dickinson wrote:
>> Quite frankly if someone has unintionally exposed LuCI to the internet I
>> think they've got a lot bigger problem than exposed version information,
>> and that not putting the version information at best delays only very
>> slightly a would be attacker.
>> And for properly configured installs, the version information is
>> extremely useful for doing support and such like.
>> Not that it likely means much, by vote is against such weak bandaid to
>> what is fundamentally an issue a user creates for themselves that is
>> much larger than the details of what's on the screen.
>> What would be more relevent solution is for LuCI to have a banner that
>> indicates that the LuCI is visible on the WAN, thus alerting the user to
>> a misconfiguration, if it is that.
>> Regards,
>> Daniel
>> On 2015-09-13 10:21 AM, MauritsVB wrote:
>>> At the moment the OpenWRT www login screen provides *very* detailed
>>> version information before anyone has even entered a password. It
>>> displays not just “15.05” or “Chaos Calmer” but even the exact git
>>> version on the banner.
>>> While it’s not advised to open this login screen to the world, fact is
>>> that it does happen intentionally or accidentally. Just a Google
>>> search for “Powered by LuCI Master (git-“ will provide many accessible
>>> OpenWRT login screens, including exact version information.
>>> As soon as someone discovers a vulnerability in a OpenWRT version all
>>> an attacker needs to do is perform a Google search to find many
>>> installations with versions that are vulnerable (even if a patch is
>>> already available).
>>> In the interest of hardening the default OpenWRT install, can I
>>> suggest that by default OpenWRT doesn’t disclose the version (not even
>>> 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would
>>> even suggest to leave “OpenWRT” off the login screen, the only people
>>> who should use this screen already know it’s running OpenWRT.
>>> Any thoughts?
>>> Maurits

You should patch openwrt to add robots.txt
Hidding version doesn't really slow down attack, default config is safe, so
for me all is OK.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/54e80b94/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list