[OpenWrt-Devel] OpenWRT www version banner a security risk

L. D. Pinney ldpinney at gmail.com
Sun Sep 13 15:06:08 EDT 2015


+1 for Etienne

Patch OpenWrt to add robots.txt

On Sun, Sep 13, 2015 at 12:45 PM, Daniel Dickinson <
openwrt at daniel.thecshore.com> wrote:

> My point, especially if you read this post fully, and the following, is
> that not displaying the banner is minimally useful, and that other measure
> to achieve the same goal (protect user when they mistakes) are far more
> useful/meaninful than eliminating the banner.
>
> Regards,
>
> Daniel
>
>
> On 2015-09-13 11:34 AM, MauritsVB wrote:
>
>> I see where you’re coming from but I disagree that one should always rely
>> on the user to know exactly what to do and what not to do. A bit of basic
>> prevention doesn’t hurt.
>>
>> Wouldn’t you agree that if you follow that line you might as well argue
>> that OpenWRT should not come with default-deny rules in the firewall? After
>> all, anyone who is savvy enough to install OpenWRT should then also know
>> that by default it has no firewall rules.
>>
>> There is a reason that not displaying too much information in banners is
>> good security practice. It slows down the reconnaissance phase of an attack
>> (using “banner grabbing” tools) and can persuade many attackers to even
>> skip a specific target. Even for complex server software and hardware that
>> requires far more expert operators than OpenWRT it is still best practice
>> not to give too much away about the specific version. It’s why companies
>> such as Cisco and Juniper advise not to disclose version information in
>> banners.
>>
>> Of course, by not displaying by default but making it a configurable
>> option any admin who requires if for support purposes could still enable it.
>>
>> As for your idea about warning users that their LuCI is reachable via
>> WAN, I agree, that definitely makes sense. However, I see that as a
>> separate issue from displaying security sensitive information on the login
>> page.
>>
>> Maurits
>>
>> On 13 Sep 2015, at 15:28, Daniel Dickinson <openwrt at daniel.thecshore.com>
>>> wrote:
>>>
>>> Quite frankly if someone has unintionally exposed LuCI to the internet I
>>> think they've got a lot bigger problem than exposed version information,
>>> and that not putting the version information at best delays only very
>>> slightly a would be attacker.
>>>
>>> And for properly configured installs, the version information is
>>> extremely useful for doing support and such like.
>>>
>>> Not that it likely means much, by vote is against such weak bandaid to
>>> what is fundamentally an issue a user creates for themselves that is much
>>> larger than the details of what's on the screen.
>>>
>>> What would be more relevent solution is for LuCI to have a banner that
>>> indicates that the LuCI is visible on the WAN, thus alerting the user to a
>>> misconfiguration, if it is that.
>>>
>>> Regards,
>>>
>>> Daniel
>>>
>>> On 2015-09-13 10:21 AM, MauritsVB wrote:
>>>
>>>> At the moment the OpenWRT www login screen provides *very* detailed
>>>> version information before anyone has even entered a password. It displays
>>>> not just “15.05” or “Chaos Calmer” but even the exact git version on the
>>>> banner.
>>>>
>>>> While it’s not advised to open this login screen to the world, fact is
>>>> that it does happen intentionally or accidentally. Just a Google search for
>>>> “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login
>>>> screens, including exact version information.
>>>>
>>>> As soon as someone discovers a vulnerability in a OpenWRT version all
>>>> an attacker needs to do is perform a Google search to find many
>>>> installations with versions that are vulnerable (even if a patch is already
>>>> available).
>>>>
>>>> In the interest of hardening the default OpenWRT install, can I suggest
>>>> that by default OpenWRT doesn’t disclose the version (not even 15.05 or
>>>> “Chaos Calmer”) on the login screen? For extra safety I would even suggest
>>>> to leave “OpenWRT” off the login screen, the only people who should use
>>>> this screen already know it’s running OpenWRT.
>>>>
>>>> Any thoughts?
>>>>
>>>> Maurits
>>>> _______________________________________________
>>>> openwrt-devel mailing list
>>>> openwrt-devel at lists.openwrt.org
>>>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>>>
>>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>
>> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/851e7383/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list