[OpenWrt-Devel] OpenWRT www version banner a security risk

Sami Olmari sami at olmari.fi
Tue Sep 15 09:43:19 EDT 2015

Mine vote for generally _not do anything_, Defaults are safe as pointed out
here few times... We can not start to babysit users from themselves... We
can guide, we can help and so on, but it's still end user responsibility
when opening port(s) to WAN, or securing access in a big LAN/VPN/VLAN/etc
-enviroment, we can't start pampering them...

 Sami Olmari

On Mon, Sep 14, 2015 at 6:30 PM, Joshua Judson Rosen <jrosen at harvestai.com>

> On 2015-09-13 10:21, MauritsVB wrote:
> > At the moment the OpenWRT www login screen provides *very* detailed
> version information before anyone has even entered a password. It displays
> not just “15.05” or “Chaos Calmer” but even the exact git version on the
> banner.
> >
> > While it’s not advised to open this login screen to the world, fact is
> that it does happen intentionally or accidentally. Just a Google search for
> “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login
> screens, including exact version information.
> >
> > As soon as someone discovers a vulnerability in a OpenWRT version all an
> attacker needs to do is perform a Google search to find many installations
> with versions that are vulnerable (even if a patch is already available).
> >
> > In the interest of hardening the default OpenWRT install, can I suggest
> that by default OpenWRT doesn’t disclose the version (not even 15.05 or
> “Chaos Calmer”) on the login screen? For extra safety I would even suggest
> to leave “OpenWRT” off the login screen, the only people who should use
> this screen already know it’s running OpenWRT.
> >
> > Any thoughts?
> I think you'd also need to change a number of services to stop
> reporting detailed information in their protocol.
> For example: have you noticed that the ETag and Last-Modified
> values that uhttpd returns for a given path are identical
> across all installations of a given version of OpenWrt?
> It doesn't really matter if there's an OpenWrt version-number
> in the *content* fetched over HTTP--the client has already
> got that information before they even get the content.
> Another example: the version-info exchanged at the start
> of the SSH protocol.
> It's like deciding that you want to send an anonymous letter
> and so avoid signing your name on that letter, but still putting
> your name and return address on the outside of the envelope.
> --
> "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150915/8156b752/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list