[OpenWrt-Devel] OpenWRT www version banner a security risk

Tobias Welz tw at wiznet.eu
Sun Sep 13 16:48:24 EDT 2015



Am 13.09.2015 um 22:04 schrieb Daniel Dickinson:
> I do think allowing to choose to disable the banner is a minor 
> benefit, however, as 
Anyway It's a bad behavior to disclose detailed version information 
without login. SOHO Routers are not as often upgraded as normal PCs - so 
why make it easier for an attacker to just lookup how he can enter that 
specific version.
Especially as sometimes the attacker can be inside the network as he got 
legally the SSID/Password but he should not be able to access ,e.g., DSL 
login data on the system or beeing able to reconfigure it. Just think of 
routers in Hotels etc.
I don't agree that this is fully the classical "security by obscurity" 
(like with MAC filters).
> I've said, there are much more effective means of preventing 
> accidential exposure, and quite frankly if the user is *choosing* to 
> open the web interface I think an warning and disabling the banner if 
> the user foolishly insists on opening the interface despite the 
> warning is more useful thank disabling the banner by default.
>
> If you're going to argue it prevents against internal threats than I 
> would argue that if your internal network is hostile enough that you 
> need to worry about attacks on openwrt from your internal network AND 
> you're not skilled enough to limit access to LuCI (or better, build an 
> image without LuCI and just use SSH) to the specific trusted hosts 
> (preferably by combination of MAC address and IP address) in the 
> firewall, or (better) to use a 'management' VPN or VLAN that only 
> trusted hosts can get on, then you're in a lot more trouble than 
> eliminating the banner for LuCI will solve.
>
> Regards,
>
> Daniel
>
> On 2015-09-13 10:21 AM, MauritsVB wrote:
>> At the moment the OpenWRT www login screen provides *very* detailed 
>> version information before anyone has even entered a password. It 
>> displays not just “15.05” or “Chaos Calmer” but even the exact git 
>> version on the banner.
>>
>> While it’s not advised to open this login screen to the world, fact 
>> is that it does happen intentionally or accidentally. Just a Google 
>> search for “Powered by LuCI Master (git-“ will provide many 
>> accessible OpenWRT login screens, including exact version information.
>>
>> As soon as someone discovers a vulnerability in a OpenWRT version all 
>> an attacker needs to do is perform a Google search to find many 
>> installations with versions that are vulnerable (even if a patch is 
>> already available).
>>
>> In the interest of hardening the default OpenWRT install, can I 
>> suggest that by default OpenWRT doesn’t disclose the version (not 
>> even 15.05 or “Chaos Calmer”) on the login screen? For extra safety I 
>> would even suggest to leave “OpenWRT” off the login screen, the only 
>> people who should use this screen already know it’s running OpenWRT.
>>
>> Any thoughts?
>>
>> Maurits
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/4dffcb8b/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list