[OpenWrt-Devel] OpenWRT www version banner a security risk
Joshua Judson Rosen
jrosen at harvestai.com
Mon Sep 14 11:30:34 EDT 2015
On 2015-09-13 10:21, MauritsVB wrote:
> At the moment the OpenWRT www login screen provides *very* detailed version information before anyone has even entered a password. It displays not just “15.05” or “Chaos Calmer” but even the exact git version on the banner.
> While it’s not advised to open this login screen to the world, fact is that it does happen intentionally or accidentally. Just a Google search for “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login screens, including exact version information.
> As soon as someone discovers a vulnerability in a OpenWRT version all an attacker needs to do is perform a Google search to find many installations with versions that are vulnerable (even if a patch is already available).
> In the interest of hardening the default OpenWRT install, can I suggest that by default OpenWRT doesn’t disclose the version (not even 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would even suggest to leave “OpenWRT” off the login screen, the only people who should use this screen already know it’s running OpenWRT.
> Any thoughts?
I think you'd also need to change a number of services to stop
reporting detailed information in their protocol.
For example: have you noticed that the ETag and Last-Modified
values that uhttpd returns for a given path are identical
across all installations of a given version of OpenWrt?
It doesn't really matter if there's an OpenWrt version-number
in the *content* fetched over HTTP--the client has already
got that information before they even get the content.
Another example: the version-info exchanged at the start
of the SSH protocol.
It's like deciding that you want to send an anonymous letter
and so avoid signing your name on that letter, but still putting
your name and return address on the outside of the envelope.
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel