DD-WRT Security Vulnerability Remediation

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions
Goto page 1, 2  Next
Author Message
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Sun Nov 10, 2019 21:24    Post subject: DD-WRT Security Vulnerability Remediation Reply with quote
Hey all.. In short I am a "if it isn't broke don't fix it" kind of person.. however with wireless I also don't want to be naive and become a "sitting duck" either. I currently have 4 APs running R37736 from Nov 18. I haven't had any issues so I haven't been thinking about testing any new betas, plus taking down the Wifi makes people cranky Smile

I can always just install the latest build and assume that critical vulnerabilities could have been patched...but is there a better way to track when there is something of significant security concern (especially if time sensitive) that pertains to DD-WRT firmware?

Is there a thread where security vulnerabilities specific to DD-WRT are being tracked? BS' timeline didn't seem to be an accurate or efficient method of being able to identify when critical vulnerabilities have been patched in.

Thanks in advance

PS. Sorry if in the wrong place, I have Atheros based hardware:

R7800/R9000
DD-WRT v3.0-r37736 std (11/17/18 )
Linux 4.9.137 #218 SMP PREEMPT Wed Nov 14 10:38:00 CET 2018

WNDR3700 v2
Firmware Version DD-WRT v3.0-r37736 std (11/17/18 )
Linux 3.10.108-d6 #67934 Sat Nov 17 03:30:49 GMT 2018 mips
Sponsor
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Mon Nov 11, 2019 14:42    Post subject: Reply with quote
Perhaps something like this but specific to DD-WRT?

https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html

EDIT: Noticed this afterward but it is very outdated
https://www.cvedetails.com/vulnerability-list/vendor_id-9341/product_id-16564/Dd-wrt-Dd-wrt.html
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sun Nov 24, 2019 15:38    Post subject: Re: DD-WRT Security Vulnerability Remediation Reply with quote
Laithan wrote:
Hey all.. In short I am a "if it isn't broke don't fix it" kind of person.. however with wireless I also don't want to be naive and become a "sitting duck" either. I currently have 4 APs running R37736 from Nov 18. I haven't had any issues so I haven't been thinking about testing any new betas, plus taking down the Wifi makes people cranky Smile

I can always just install the latest build and assume that critical vulnerabilities could have been patched...but is there a better way to track when there is something of significant security concern (especially if time sensitive) that pertains to DD-WRT firmware?

Is there a thread where security vulnerabilities specific to DD-WRT are being tracked? BS' timeline didn't seem to be an accurate or efficient method of being able to identify when critical vulnerabilities have been patched in.

Thanks in advance

PS. Sorry if in the wrong place, I have Atheros based hardware:

R7800/R9000
DD-WRT v3.0-r37736 std (11/17/18 )
Linux 4.9.137 #218 SMP PREEMPT Wed Nov 14 10:38:00 CET 2018

WNDR3700 v2
Firmware Version DD-WRT v3.0-r37736 std (11/17/18 )
Linux 3.10.108-d6 #67934 Sat Nov 17 03:30:49 GMT 2018 mips



Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check

If wifi coming down for a ddwrt update is a nuisance, you can always install it late at night or very early in the morning since it only takes a few minutes to install anyway. Its ultimately up to you, though.

Btw, check live updates for development of dd-wrt here so you can go over the various patches yourself if you want: https://svn.dd-wrt.com/
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sun Nov 24, 2019 16:28    Post subject: Reply with quote
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...
moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....
So, if your main router is reliable and secure and you dont have any open holes, than what ever runs inside the network is not a big concern, but its not bad idea at least to update your edge router i guess...
I'm still running an old Kong build for my R7800 and its still kind of preferable, prior BS builds, as many other believe too...
you can find it in its threads here and there..or by request...
Otherwise BS tends to update and breaks the things, than fixes it and than there are some stable builds, until something is broken and so on and on he keeps up the development going...

I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...
Have a look at the new builds threads look at the SVN and gather information before update...prior update, you might need to reset as your build is quite old as well...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Tue Nov 26, 2019 3:25    Post subject: Reply with quote
ironstaff wrote:

Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check


Alozaros wrote:
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....

I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...



Thanks for the replies. I sort of figured as such but I guess the logic I had used treats DD-WRT more like an operating system rather than an appliance. I guess it is the industry mindset of having "CRITICAL/HIGH/MEDIUM and LOW" categories of vulnerabilities where you could have a business practice of installing all critical patches only for example. You would then need a way to identify which new builds contained a CRITICAL severity.

For DD-WRT, using SVN provides some insight but I'm also not sure you could even use SVN because sometimes all you get is "Kernel updated" with no detailed changelog so I'm not sure you could associate a build with a severity level (unless there is something I am not aware of). I get that BS could say something in the notes if there was a critical patch but it is what I would consider an extremely important detail that is essentially a needle in a haystack for most. I would personally feel much better about only installing new BETA builds when I know there is a critical fix applied, rather than just install them every week or so as they come out. I may be the lonely guy standing in the middle of the empty field on this one haha! Laughing but wouldn't that be helpful? The true warriors could test every build and the guy that just wants everything patched could do that also Cool

Given that DD-WRT is an entry point to our network (obviously if used as a router but even when just using as an AP) I am sort of surprised that there is not a lot more attention to this especially given the current state of Cyberthreats.

I would definitely agree that establishing a list of exploits that could be associated to certainly builds could draw unnecessary attention however if the exploits were hidden and only severity levels were listed (ie: "CRITICAL" ) I would think that should be safe.

Any other thoughts? Would it make sense to establish DD-WRT severity levels for builds? Maybe as part of the first post of every new build, have a section that lists vulnerabilities and severity (if any)?

Thanks all
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Tue Nov 26, 2019 3:37    Post subject: Re: DD-WRT Security Vulnerability Remediation Reply with quote
Laithan wrote:
BS' timeline didn't seem to be an accurate or efficient method of being able to identify when critical vulnerabilities have been patched in.


well it is, and its all there is. so ur going to have to start following it.

(and ur using ancient builds, would think someone so "up there" about security would be running current builds..)

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55416 std
[QUALCOMM] DIR-862L --------------------------------> r55416 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Tue Nov 26, 2019 4:08    Post subject: Reply with quote
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Tue Nov 26, 2019 4:10    Post subject: Reply with quote
lol, you got me there, was ignoring the network side. At least not running factory firmware Smile

I'm trying to reform Wink


kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...


I see some spam on the old r37736 of "Setting new ageing time". On my R9000 with r41517 it looks pretty clean to me. I will be upgrading the other 3 shortly.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1176823
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Tue Nov 26, 2019 4:50    Post subject: Reply with quote
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...


depends, what kind of gtk spam? post a piece of it?

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55416 std
[QUALCOMM] DIR-862L --------------------------------> r55416 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Tue Nov 26, 2019 7:10    Post subject: Reply with quote
tatsuya46 wrote:
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...


depends, what kind of gtk spam? post a piece of it?


https://svn.dd-wrt.com/ticket/6723

https://svn.dd-wrt.com/attachment/ticket/6723/syslog.timer.msgs.txt

I have a feeling this is probably unique to Broadcom, but I am wondering if there are issues on other platforms related to the radio timer and GTK renewal.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Tue Nov 26, 2019 7:39    Post subject: Reply with quote
kernel-panic69 wrote:
tatsuya46 wrote:
kernel-panic69 wrote:
I have a question. Do Atheros devices have issues with wifi GTK renewal spamming syslog and causing wi-fi issues? Anyway, if you want to call anything "security patches", okay. Some folks don't know where to look to find antique kernel security patches...


depends, what kind of gtk spam? post a piece of it?


https://svn.dd-wrt.com/ticket/6723

https://svn.dd-wrt.com/attachment/ticket/6723/syslog.timer.msgs.txt

I have a feeling this is probably unique to Broadcom, but I am wondering if there are issues on other platforms related to the radio timer and GTK renewal.


never seen that before, only kind i seen is from management frame protection enabled/auto when 802.11r is on (must be disabled when 802.11r is on)

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55416 std
[QUALCOMM] DIR-862L --------------------------------> r55416 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Tue Nov 26, 2019 7:58    Post subject: Reply with quote
Ok, so that is a Broadcom-specific issue, then. I guess if people want working GTK renewal, they're going to have to migrate to another firmware or wait until BS fixes it properly, because the 4 way handshake ends up failing until you reboot the router or cycle the radios. I'm sure it will get top priority /sarcasm
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6264
Location: Texas

PostPosted: Tue Nov 26, 2019 8:45    Post subject: Reply with quote
kernel-panic69 wrote:
GTK renewal problem .....Ok, so that is a Broadcom-specific issue, then.

That is right, that it is specific to broadcom units.
That is why I still run 2 ~ 3 year old builds on my broadcom WAPs within my network Rolling Eyes
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Tue Nov 26, 2019 18:38    Post subject: Reply with quote
mrjcd wrote:
kernel-panic69 wrote:
GTK renewal problem .....Ok, so that is a Broadcom-specific issue, then.

That is right, that it is specific to broadcom units.
That is why I still run 2 ~ 3 year old builds on my broadcom WAPs within my network Rolling Eyes


Well part of the most recent 'fix' was for Atheros (radio scheduling), but it's still a little broken, I think? One dime paid here takes a quarter elsewhere. This is why co-mingling in a development tree is bad. OpenWRT does it somewhat, but probably not quite as much as DD-WRT.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Mon Dec 16, 2019 17:48    Post subject: Reply with quote
Laithan wrote:
ironstaff wrote:

Look at the update release notes for the various packages that come with dd-wrt such as OpenVPN etc but to be honest, the only way to make sure you are reasonably protected from exploits circulating out there is to always update to the latest since BrainSlayer is always on top of it with making sure everything is mostly running on latest patch. Check


Alozaros wrote:
yep 37736 is very old and there ware security patches regarding flags and diff binaries since than...moreover all the foreign binaries like DNSmasq, and Busybox and Ath10k driver and ect....

I guess exposing bugs online like you want its not a good practice, as it can be easily exploited...for those patches you look at SVN but even there you must follow the stream...



Thanks for the replies. I sort of figured as such but I guess the logic I had used treats DD-WRT more like an operating system rather than an appliance. I guess it is the industry mindset of having "CRITICAL/HIGH/MEDIUM and LOW" categories of vulnerabilities where you could have a business practice of installing all critical patches only for example. You would then need a way to identify which new builds contained a CRITICAL severity.

For DD-WRT, using SVN provides some insight but I'm also not sure you could even use SVN because sometimes all you get is "Kernel updated" with no detailed changelog so I'm not sure you could associate a build with a severity level (unless there is something I am not aware of). I get that BS could say something in the notes if there was a critical patch but it is what I would consider an extremely important detail that is essentially a needle in a haystack for most. I would personally feel much better about only installing new BETA builds when I know there is a critical fix applied, rather than just install them every week or so as they come out. I may be the lonely guy standing in the middle of the empty field on this one haha! Laughing but wouldn't that be helpful? The true warriors could test every build and the guy that just wants everything patched could do that also Cool

Given that DD-WRT is an entry point to our network (obviously if used as a router but even when just using as an AP) I am sort of surprised that there is not a lot more attention to this especially given the current state of Cyberthreats.

I would definitely agree that establishing a list of exploits that could be associated to certainly builds could draw unnecessary attention however if the exploits were hidden and only severity levels were listed (ie: "CRITICAL" ) I would think that should be safe.

Any other thoughts? Would it make sense to establish DD-WRT severity levels for builds? Maybe as part of the first post of every new build, have a section that lists vulnerabilities and severity (if any)?

Thanks all



When you see “kernel updated” or any changeset title, you'll need to click on it and look at the actual files. For example, when you see that kernel is updated, click on the changeset and then click on the makefile for the new kernel build. You should see the update version. After that, check to see if the kernel is for your router. You can also google the kernel version to see what changes were made. Keep in mind that for Linux kernels, you should not expect to always see public CVE entries due to the speed at which things are updated despite many vulnerabilities being addressed with each new update.

With SVN, you have to look at the details at what is being updated and have a good understanding of router firmware and the various packages to know what to look for. Once you see something updated or changed eg. OpenVPN 2.4.7 —> 2.4.8, you can then google for the release notes to see the features and mitigations in the new version.

I know its not as convenient as seeing a CVE entry or release note every time but that would lead to a zillion CVE entries and release notes since the rate at which updates are released for DD-WRT is amazing.

Typical firmware vendors, on the other hand, wait months or more to release updates so they can afford to fancifully write pretty release notes every time there is a noteworthy update. The other downside to this, aside from the process being closed to public scrutiny, is that there is a vast amount of time where your device stays unpatched as the vendor twiddles their thumbs or abandons the hardware completely to facilitate forced obsolescence.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum