[OpenWrt-Devel] OpenWRT www version banner a security risk

Etienne Champetier champetier.etienne at gmail.com
Sun Sep 13 17:19:37 EDT 2015

Hi again,

Le 13 sept. 2015 22:50, "Daniel Dickinson" <openwrt at daniel.thecshore.com> a
écrit :
> On 2015-09-13 4:41 PM, Luiz Angelo Daros de Luca wrote:
>> While openwrt doesn't offer security release, hiding version in banner
>> is not very effective. If the attacker can detect it is OpenWRT and if
>> there is a known security issue for any major version, it is enough to
>> try an attack.
>> Robot.txt is effective as Google is a common tool to look for targets. I
> Do you have any references / statistics / facts to justify this claim?
>> guess brute force scanners would not care to detect luci open to web as
>> it is a rare target (if Google does not list them). If they care, again,
> Erm, if luci is rare target, then who is going to bother with searching
for vulnerable banners?
> Furthermore, the far better way to avoid this exposure is prevent
exposing the web interface unintentionally in the first place.
> I'm not convinced robots.txt prevents a significant number attacks,
although given small size of robots.txt I don't think it would hurt to
include it anyway.
> I'm merely pointing out that the robots.txt is really not a very
effective solution to the stated reason for wanting it (protecting user
from accidental exposure, or from choosing to expose without realize the
risks of doing so).
> I think solving the real problem is more important than relying on a
bandaid and saying 'job done'.
> (Which is how I view Etienne's robots.txt email).

Sorry i gave a wrong impresion.
My point is even if you give no version information at all, there is still
enough change between each release to have unique signature, and ipv4 can
be scanned in hours, so if it's open you're dead.
robots.txt is just there to slow down scriptskiddies, not a fix at all
(We can still use robots.txt to warn the user)

> Regards,
> Daniel
>> they would just try the known attack.
>> Regards,
>> Em dom, 13 de set de 2015 17:05, Daniel Dickinson
>> <openwrt at daniel.thecshore.com <mailto:openwrt at daniel.thecshore.com>>
>> escreveu:
>>     I do think allowing to choose to disable the banner is a minor
>>     however, as I've said, there are much more effective means of
>>     accidential exposure, and quite frankly if the user is *choosing* to
>>     open the web interface I think an warning and disabling the banner if
>>     the user foolishly insists on opening the interface despite the
>>     is more useful thank disabling the banner by default.
>>     If you're going to argue it prevents against internal threats than I
>>     would argue that if your internal network is hostile enough that you
>>     need to worry about attacks on openwrt from your internal network AND
>>     you're not skilled enough to limit access to LuCI (or better, build
>>     image without LuCI and just use SSH) to the specific trusted hosts
>>     (preferably by combination of MAC address and IP address) in the
>>     firewall, or (better) to use a 'management' VPN or VLAN that only
>>     trusted hosts can get on, then you're in a lot more trouble than
>>     eliminating the banner for LuCI will solve.
>>     Regards,
>>     Daniel
>>     On 2015-09-13 10:21 AM, MauritsVB wrote:
>>      > At the moment the OpenWRT www login screen provides *very*
>>     detailed version information before anyone has even entered a
>>     password. It displays not just “15.05” or “Chaos Calmer” but even
>>     the exact git version on the banner.
>>      >
>>      > While it’s not advised to open this login screen to the world,
>>     fact is that it does happen intentionally or accidentally. Just a
>>     Google search for “Powered by LuCI Master (git-“ will provide many
>>     accessible OpenWRT login screens, including exact version
>>      >
>>      > As soon as someone discovers a vulnerability in a OpenWRT version
>>     all an attacker needs to do is perform a Google search to find many
>>     installations with versions that are vulnerable (even if a patch is
>>     already available).
>>      >
>>      > In the interest of hardening the default OpenWRT install, can I
>>     suggest that by default OpenWRT doesn’t disclose the version (not
>>     even 15.05 or “Chaos Calmer”) on the login screen? For extra safety
>>     I would even suggest to leave “OpenWRT” off the login screen, the
>>     only people who should use this screen already know it’s running
>>     OpenWRT.
>>      >
>>      > Any thoughts?
>>      >
>>      > Maurits
>>      > _______________________________________________
>>      > openwrt-devel mailing list
>>      > openwrt-devel at lists.openwrt.org
>>     <mailto:openwrt-devel at lists.openwrt.org>
>>      > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>      >
>>     _______________________________________________
>>     openwrt-devel mailing list
>>     openwrt-devel at lists.openwrt.org <mailto:
openwrt-devel at lists.openwrt.org>
>>     https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/91da440e/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list