[OpenWrt-Devel] OpenWRT www version banner a security risk

MauritsVB mauritsvb at xs4all.nl
Mon Sep 14 10:18:24 EDT 2015


I agree that adding a robots.txt with
User-agent: *
Disallow: /
would be worth it, considering it’s a small effort and minimal space penalty.

It doesn’t stop Banner Grabbing tools but it does stop casual indexing by benign search tools.

Of course, removing the version banner or adding a robots.txt doesn’t stop a determined attacker specifically targeting a known machine. What it does do is prevent these systems ending up in a detailed database of vulnerable systems. It should not be considered a replacement (or “job done”) for other security measures, just an extra line of protection.

Maurits

> On 13 Sep 2015, at 21:49, Daniel Dickinson <openwrt at daniel.thecshore.com> wrote:
> 
> On 2015-09-13 4:41 PM, Luiz Angelo Daros de Luca wrote:
>> While openwrt doesn't offer security release, hiding version in banner
>> is not very effective. If the attacker can detect it is OpenWRT and if
>> there is a known security issue for any major version, it is enough to
>> try an attack.
>> 
>> Robot.txt is effective as Google is a common tool to look for targets. I
> 
> Do you have any references / statistics / facts to justify this claim?
> 
>> guess brute force scanners would not care to detect luci open to web as
>> it is a rare target (if Google does not list them). If they care, again,
> 
> Erm, if luci is rare target, then who is going to bother with searching for vulnerable banners?
> 
> Furthermore, the far better way to avoid this exposure is prevent exposing the web interface unintentionally in the first place.
> 
> I'm not convinced robots.txt prevents a significant number attacks, although given small size of robots.txt I don't think it would hurt to include it anyway.
> 
> I'm merely pointing out that the robots.txt is really not a very effective solution to the stated reason for wanting it (protecting user from accidental exposure, or from choosing to expose without realize the risks of doing so).
> 
> I think solving the real problem is more important than relying on a bandaid and saying 'job done'.
> 
> (Which is how I view Etienne's robots.txt email).
> 
> Regards,
> 
> Daniel
> 
>> they would just try the known attack.
>> 
>> Regards,
>> 
>> 
>> Em dom, 13 de set de 2015 17:05, Daniel Dickinson
>> <openwrt at daniel.thecshore.com <mailto:openwrt at daniel.thecshore.com>>
>> escreveu:
>> 
>>    I do think allowing to choose to disable the banner is a minor benefit,
>>    however, as I've said, there are much more effective means of preventing
>>    accidential exposure, and quite frankly if the user is *choosing* to
>>    open the web interface I think an warning and disabling the banner if
>>    the user foolishly insists on opening the interface despite the warning
>>    is more useful thank disabling the banner by default.
>> 
>>    If you're going to argue it prevents against internal threats than I
>>    would argue that if your internal network is hostile enough that you
>>    need to worry about attacks on openwrt from your internal network AND
>>    you're not skilled enough to limit access to LuCI (or better, build an
>>    image without LuCI and just use SSH) to the specific trusted hosts
>>    (preferably by combination of MAC address and IP address) in the
>>    firewall, or (better) to use a 'management' VPN or VLAN that only
>>    trusted hosts can get on, then you're in a lot more trouble than
>>    eliminating the banner for LuCI will solve.
>> 
>>    Regards,
>> 
>>    Daniel
>> 
>>    On 2015-09-13 10:21 AM, MauritsVB wrote:
>>     > At the moment the OpenWRT www login screen provides *very*
>>    detailed version information before anyone has even entered a
>>    password. It displays not just “15.05” or “Chaos Calmer” but even
>>    the exact git version on the banner.
>>     >
>>     > While it’s not advised to open this login screen to the world,
>>    fact is that it does happen intentionally or accidentally. Just a
>>    Google search for “Powered by LuCI Master (git-“ will provide many
>>    accessible OpenWRT login screens, including exact version information.
>>     >
>>     > As soon as someone discovers a vulnerability in a OpenWRT version
>>    all an attacker needs to do is perform a Google search to find many
>>    installations with versions that are vulnerable (even if a patch is
>>    already available).
>>     >
>>     > In the interest of hardening the default OpenWRT install, can I
>>    suggest that by default OpenWRT doesn’t disclose the version (not
>>    even 15.05 or “Chaos Calmer”) on the login screen? For extra safety
>>    I would even suggest to leave “OpenWRT” off the login screen, the
>>    only people who should use this screen already know it’s running
>>    OpenWRT.
>>     >
>>     > Any thoughts?
>>     >
>>     > Maurits
>>     > _______________________________________________
>>     > openwrt-devel mailing list
>>     > openwrt-devel at lists.openwrt.org
>>    <mailto:openwrt-devel at lists.openwrt.org>
>>     > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>     >
>>    _______________________________________________
>>    openwrt-devel mailing list
>>    openwrt-devel at lists.openwrt.org <mailto:openwrt-devel at lists.openwrt.org>
>>    https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list