Posted: Sun Nov 10, 2019 21:24 Post subject: DD-WRT Security Vulnerability Remediation
Hey all.. In short I am a "if it isn't broke don't fix it" kind of person.. however with wireless I also don't want to be naive and become a "sitting duck" either. I currently have 4 APs running R37736 from Nov 18. I haven't had any issues so I haven't been thinking about testing any new betas, plus taking down the Wifi makes people cranky
I can always just install the latest build and assume that critical vulnerabilities could have been patched...but is there a better way to track when there is something of significant security concern (especially if time sensitive) that pertains to DD-WRT firmware?
Is there a thread where security vulnerabilities specific to DD-WRT are being tracked? BS' timeline didn't seem to be an accurate or efficient method of being able to identify when critical vulnerabilities have been patched in.
Thanks in advance
PS. Sorry if in the wrong place, I have Atheros based hardware:
R7800/R9000
DD-WRT v3.0-r37736 std (11/17/18 )
Linux 4.9.137 #218 SMP PREEMPT Wed Nov 14 10:38:00 CET 2018
WNDR3700 v2
Firmware Version DD-WRT v3.0-r37736 std (11/17/18 )
Linux 3.10.108-d6 #67934 Sat Nov 17 03:30:49 GMT 2018 mips
Posted: Sun Nov 24, 2019 15:38 Post subject: Re: DD-WRT Security Vulnerability Remediation
Laithan wrote:
Hey all.. In short I am a "if it isn't broke don't fix it" kind of person.. however with wireless I also don't want to be naive and become a "sitting duck" either. I currently have 4 APs running R37736 from Nov 18. I haven't had any issues so I haven't been thinking about testing any new betas, plus taking down the Wifi makes people cranky
I can always just install the latest build and assume that critical vulnerabilities could have been patched...but is there a better way to track when there is something of significant security concern (especially if time sensitive) that pertains to DD-WRT firmware?
Is there a thread where security vulnerabilities specific to DD-WRT are being tracked? BS' timeline didn't seem to be an accurate or efficient method of being able to identify when critical vulnerabilities have been patched in.
Thanks in advance
PS. Sorry if in the wrong place, I have Atheros based hardware:
R7800/R9000
DD-WRT v3.0-r37736 std (11/17/18 )
Linux 4.9.137 #218 SMP PREEMPT Wed Nov 14 10:38:00 CET 2018
WNDR3700 v2
Firmware Version DD-WRT v3.0-r37736 std (11/17/18 )
Linux 3.10.108-d6 #67934 Sat Nov 17 03:30:49 GMT 2018 mips
Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check
If wifi coming down for a ddwrt update is a nuisance, you can always install it late at night or very early in the morning since it only takes a few minutes to install anyway. Its ultimately up to you, though.
Btw, check live updates for development of dd-wrt here so you can go over the various patches yourself if you want: https://svn.dd-wrt.com/
Joined: 16 Nov 2015 Posts: 6388 Location: UK, London, just across the river..
Posted: Sun Nov 24, 2019 16:28 Post subject:
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...
moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....
So, if your main router is reliable and secure and you dont have any open holes, than what ever runs inside the network is not a big concern, but its not bad idea at least to update your edge router i guess...
I'm still running an old Kong build for my R7800 and its still kind of preferable, prior BS builds, as many other believe too...
you can find it in its threads here and there..or by request...
Otherwise BS tends to update and breaks the things, than fixes it and than there are some stable builds, until something is broken and so on and on he keeps up the development going...
I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...
Have a look at the new builds threads look at the SVN and gather information before update...prior update, you might need to reset as your build is quite old as well... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check
Alozaros wrote:
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....
I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...
Thanks for the replies. I sort of figured as such but I guess the logic I had used treats DD-WRT more like an operating system rather than an appliance. I guess it is the industry mindset of having "CRITICAL/HIGH/MEDIUM and LOW" categories of vulnerabilities where you could have a business practice of installing all critical patches only for example. You would then need a way to identify which new builds contained a CRITICAL severity.
For DD-WRT, using SVN provides some insight but I'm also not sure you could even use SVN because sometimes all you get is "Kernel updated" with no detailed changelog so I'm not sure you could associate a build with a severity level (unless there is something I am not aware of). I get that BS could say something in the notes if there was a critical patch but it is what I would consider an extremely important detail that is essentially a needle in a haystack for most. I would personally feel much better about only installing new BETA builds when I know there is a critical fix applied, rather than just install them every week or so as they come out. I may be the lonely guy standing in the middle of the empty field on this one haha! but wouldn't that be helpful? The true warriors could test every build and the guy that just wants everything patched could do that also
Given that DD-WRT is an entry point to our network (obviously if used as a router but even when just using as an AP) I am sort of surprised that there is not a lot more attention to this especially given the current state of Cyberthreats.
I would definitely agree that establishing a list of exploits that could be associated to certainly builds could draw unnecessary attention however if the exploits were hidden and only severity levels were listed (ie: "CRITICAL" ) I would think that should be safe.
Any other thoughts? Would it make sense to establish DD-WRT severity levels for builds? Maybe as part of the first post of every new build, have a section that lists vulnerabilities and severity (if any)?
Joined: 08 May 2018 Posts: 14102 Location: Texas, USA
Posted: Tue Nov 26, 2019 4:08 Post subject:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
lol, you got me there, was ignoring the network side. At least not running factory firmware
I'm trying to reform
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...
I see some spam on the old r37736 of "Setting new ageing time". On my R9000 with r41517 it looks pretty clean to me. I will be upgrading the other 3 shortly.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Tue Nov 26, 2019 4:50 Post subject:
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...
depends, what kind of gtk spam? post a piece of it? _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 08 May 2018 Posts: 14102 Location: Texas, USA
Posted: Tue Nov 26, 2019 7:10 Post subject:
tatsuya46 wrote:
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...
depends, what kind of gtk spam? post a piece of it?
I have a feeling this is probably unique to Broadcom, but I am wondering if there are issues on other platforms related to the radio timer and GTK renewal. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Tue Nov 26, 2019 7:39 Post subject:
kernel-panic69 wrote:
tatsuya46 wrote:
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...
depends, what kind of gtk spam? post a piece of it?
I have a feeling this is probably unique to Broadcom, but I am wondering if there are issues on other platforms related to the radio timer and GTK renewal.
never seen that before, only kind i seen is from management frame protection enabled/auto when 802.11r is on (must be disabled when 802.11r is on) _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 08 May 2018 Posts: 14102 Location: Texas, USA
Posted: Tue Nov 26, 2019 7:58 Post subject:
Ok, so that is a Broadcom-specific issue, then. I guess if people want working GTK renewal, they're going to have to migrate to another firmware or wait until BS fixes it properly, because the 4 way handshake ends up failing until you reboot the router or cycle the radios. I'm sure it will get top priority /sarcasm _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 08 May 2018 Posts: 14102 Location: Texas, USA
Posted: Tue Nov 26, 2019 18:38 Post subject:
mrjcd wrote:
kernel-panic69 wrote:
GTK renewal problem .....Ok, so that is a Broadcom-specific issue, then.
That is right, that it is specific to broadcom units.
That is why I still run 2 ~ 3 year old builds on my broadcom WAPs within my network
Well part of the most recent 'fix' was for Atheros (radio scheduling), but it's still a little broken, I think? One dime paid here takes a quarter elsewhere. This is why co-mingling in a development tree is bad. OpenWRT does it somewhat, but probably not quite as much as DD-WRT. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check
Alozaros wrote:
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....
I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...
Thanks for the replies. I sort of figured as such but I guess the logic I had used treats DD-WRT more like an operating system rather than an appliance. I guess it is the industry mindset of having "CRITICAL/HIGH/MEDIUM and LOW" categories of vulnerabilities where you could have a business practice of installing all critical patches only for example. You would then need a way to identify which new builds contained a CRITICAL severity.
For DD-WRT, using SVN provides some insight but I'm also not sure you could even use SVN because sometimes all you get is "Kernel updated" with no detailed changelog so I'm not sure you could associate a build with a severity level (unless there is something I am not aware of). I get that BS could say something in the notes if there was a critical patch but it is what I would consider an extremely important detail that is essentially a needle in a haystack for most. I would personally feel much better about only installing new BETA builds when I know there is a critical fix applied, rather than just install them every week or so as they come out. I may be the lonely guy standing in the middle of the empty field on this one haha! but wouldn't that be helpful? The true warriors could test every build and the guy that just wants everything patched could do that also
Given that DD-WRT is an entry point to our network (obviously if used as a router but even when just using as an AP) I am sort of surprised that there is not a lot more attention to this especially given the current state of Cyberthreats.
I would definitely agree that establishing a list of exploits that could be associated to certainly builds could draw unnecessary attention however if the exploits were hidden and only severity levels were listed (ie: "CRITICAL" ) I would think that should be safe.
Any other thoughts? Would it make sense to establish DD-WRT severity levels for builds? Maybe as part of the first post of every new build, have a section that lists vulnerabilities and severity (if any)?
Thanks all
When you see “kernel updated” or any changeset title, you'll need to click on it and look at the actual files. For example, when you see that kernel is updated, click on the changeset and then click on the makefile for the new kernel build. You should see the update version. After that, check to see if the kernel is for your router. You can also google the kernel version to see what changes were made. Keep in mind that for Linux kernels, you should not expect to always see public CVE entries due to the speed at which things are updated despite many vulnerabilities being addressed with each new update.
With SVN, you have to look at the details at what is being updated and have a good understanding of router firmware and the various packages to know what to look for. Once you see something updated or changed eg. OpenVPN 2.4.7 —> 2.4.8, you can then google for the release notes to see the features and mitigations in the new version.
I know its not as convenient as seeing a CVE entry or release note every time but that would lead to a zillion CVE entries and release notes since the rate at which updates are released for DD-WRT is amazing.
Typical firmware vendors, on the other hand, wait months or more to release updates so they can afford to fancifully write pretty release notes every time there is a noteworthy update. The other downside to this, aside from the process being closed to public scrutiny, is that there is a vast amount of time where your device stays unpatched as the vendor twiddles their thumbs or abandons the hardware completely to facilitate forced obsolescence.