[OpenWrt-Devel] OpenWRT www version banner a security risk

Daniel Dickinson openwrt at daniel.thecshore.com
Sun Sep 13 11:10:48 EDT 2015 

Hi Etienne,

This isn't about whether default is safe, but what is a useful to help 
limit the damage if the user shoots themselves in the foot with 
relatively easy mistakes for a newbie to make.

Breaking the firewall isn't hard, especially for a newbie, so the Ubuntu 
philosphy of 'if there is no service running, it doesn't matter if there 
is no firewall' applies.

It's not 100% true obviously, but the principle that of not having 
unnecessary services listening, and were services are necessary only 
listening on addresses where they should be responding, is still a sound 
security policy.

If there's no one answering the phone, it does't matter how loud you 
shout at the handset (except of course that you might cause a local 
disturbance and get in trouble).

Regards,

Daniel

On 2015-09-13 11:00 AM, Etienne Champetier wrote:
> Hi,
>
> Le 13 sept. 2015 16:34, "Daniel Dickinson" <openwrt at daniel.thecshore.com
> <mailto:openwrt at daniel.thecshore.com>> a écrit :
>  >
>  > Actually two far more useful solutions:
>  >
>  > 1) By default only answer requests from 'lan' network in
> /etc/config/uhttp instead of 0.0.0.0/32 <http://0.0.0.0/32>
>  > 2) Some useful alert if what appears to be a firewally
> misconfiguration is created (default OpenWrt firewall block LuCI on WAN,
> therefore the current issue is that by default uhttpd listens on all
> addresses, not just lan AND user has broken their firewall and allowed
> HTTP access to the router on the WAN in the *firewall* config.
>  >
>  > Of the two 2) is harder and takes more work.
>  >
>  > Regards,
>  >
>  > Daniel
>  >
>  >
>  > On 2015-09-13 10:28 AM, Daniel Dickinson wrote:
>  >>
>  >> Quite frankly if someone has unintionally exposed LuCI to the internet I
>  >> think they've got a lot bigger problem than exposed version information,
>  >> and that not putting the version information at best delays only very
>  >> slightly a would be attacker.
>  >>
>  >> And for properly configured installs, the version information is
>  >> extremely useful for doing support and such like.
>  >>
>  >> Not that it likely means much, by vote is against such weak bandaid to
>  >> what is fundamentally an issue a user creates for themselves that is
>  >> much larger than the details of what's on the screen.
>  >>
>  >> What would be more relevent solution is for LuCI to have a banner that
>  >> indicates that the LuCI is visible on the WAN, thus alerting the user to
>  >> a misconfiguration, if it is that.
>  >>
>  >> Regards,
>  >>
>  >> Daniel
>  >>
>  >> On 2015-09-13 10:21 AM, MauritsVB wrote:
>  >>>
>  >>> At the moment the OpenWRT www login screen provides *very* detailed
>  >>> version information before anyone has even entered a password. It
>  >>> displays not just “15.05” or “Chaos Calmer” but even the exact git
>  >>> version on the banner.
>  >>>
>  >>> While it’s not advised to open this login screen to the world, fact is
>  >>> that it does happen intentionally or accidentally. Just a Google
>  >>> search for “Powered by LuCI Master (git-“ will provide many accessible
>  >>> OpenWRT login screens, including exact version information.
>  >>>
>  >>> As soon as someone discovers a vulnerability in a OpenWRT version all
>  >>> an attacker needs to do is perform a Google search to find many
>  >>> installations with versions that are vulnerable (even if a patch is
>  >>> already available).
>  >>>
>  >>> In the interest of hardening the default OpenWRT install, can I
>  >>> suggest that by default OpenWRT doesn’t disclose the version (not even
>  >>> 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would
>  >>> even suggest to leave “OpenWRT” off the login screen, the only people
>  >>> who should use this screen already know it’s running OpenWRT.
>  >>>
>  >>> Any thoughts?
>  >>>
>  >>> Maurits
>  >>>
>
> You should patch openwrt to add robots.txt
> Hidding version doesn't really slow down attack, default config is safe,
> so for me all is OK.
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list