[OpenWrt-Devel] Building OpenWRT static kernels

David Lang david at lang.hm
Mon Mar 23 14:00:13 EDT 2015


On Mon, 23 Mar 2015, Jean-Michel Pouré - GOOZE wrote:

>> you would be horrified to look under the covers of most linux based
>> appliances,
>> a lot of them are running a stock redhat/centos install with very
>> little
>> customization outside of the userspace app that they run. Gaping
>> security holes
>> in such appliances are common.
>
> Yes, I agree with you.
>
> For example, DLink DGS-1210 products revision A1 are running a very old
> 2.6 Linux kernel and it could be very easy to penetrate, especially
> because no update is done on the firmware. All source code is available,
> so it is a matter of days before you understand how to break in. You
> probably only need to look at OpenSSL vulnerability list ...
>
> On the converse, we may discuss attack surface : a static kernel can
> have a very low attack surface. When it includes GrSec, it can become
> very difficult to penetrate. Hopefully  ... DLink appliances are using
> GrSec.
>
> With current OpenWRT configuration, the attack would be Luci => Kernel
> module. I wonder if specialized companies offer "on the shelf"
> penetration tools for OpenWRT, but it would not be surprising.
>
> IMHO, with current penetration tools, not using GrSec or a static kernel
> or both is simply too low.

the bigger risk is default passwords and non-encrypted management. It doesn't 
matter if you are using grsecurity, SELinux, etc if your root account is "admin" 
"password" on every box ever shipped.

No matter how secure the box is, if it's never updated, within a few years there 
will be vulnerabilities known for it.

David Lang
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list