[OpenWrt-Devel] OpenWRT www version banner a security risk

Luiz Angelo Daros de Luca luizluca at gmail.com
Sun Sep 13 16:41:01 EDT 2015


While openwrt doesn't offer security release, hiding version in banner is
not very effective. If the attacker can detect it is OpenWRT and if there
is a known security issue for any major version, it is enough to try an
attack.

Robot.txt is effective as Google is a common tool to look for targets. I
guess brute force scanners would not care to detect luci open to web as it
is a rare target (if Google does not list them). If they care, again, they
would just try the known attack.

Regards,

Em dom, 13 de set de 2015 17:05, Daniel Dickinson <
openwrt at daniel.thecshore.com> escreveu:

> I do think allowing to choose to disable the banner is a minor benefit,
> however, as I've said, there are much more effective means of preventing
> accidential exposure, and quite frankly if the user is *choosing* to
> open the web interface I think an warning and disabling the banner if
> the user foolishly insists on opening the interface despite the warning
> is more useful thank disabling the banner by default.
>
> If you're going to argue it prevents against internal threats than I
> would argue that if your internal network is hostile enough that you
> need to worry about attacks on openwrt from your internal network AND
> you're not skilled enough to limit access to LuCI (or better, build an
> image without LuCI and just use SSH) to the specific trusted hosts
> (preferably by combination of MAC address and IP address) in the
> firewall, or (better) to use a 'management' VPN or VLAN that only
> trusted hosts can get on, then you're in a lot more trouble than
> eliminating the banner for LuCI will solve.
>
> Regards,
>
> Daniel
>
> On 2015-09-13 10:21 AM, MauritsVB wrote:
> > At the moment the OpenWRT www login screen provides *very* detailed
> version information before anyone has even entered a password. It displays
> not just “15.05” or “Chaos Calmer” but even the exact git version on the
> banner.
> >
> > While it’s not advised to open this login screen to the world, fact is
> that it does happen intentionally or accidentally. Just a Google search for
> “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login
> screens, including exact version information.
> >
> > As soon as someone discovers a vulnerability in a OpenWRT version all an
> attacker needs to do is perform a Google search to find many installations
> with versions that are vulnerable (even if a patch is already available).
> >
> > In the interest of hardening the default OpenWRT install, can I suggest
> that by default OpenWRT doesn’t disclose the version (not even 15.05 or
> “Chaos Calmer”) on the login screen? For extra safety I would even suggest
> to leave “OpenWRT” off the login screen, the only people who should use
> this screen already know it’s running OpenWRT.
> >
> > Any thoughts?
> >
> > Maurits
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> >
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/21771009/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list