Security posture of DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
MysticGold04
DD-WRT User


Joined: 20 Apr 2018
Posts: 76
Location: Troubleshooting

PostPosted: Mon Jul 13, 2020 19:37    Post subject: Security posture of DD-WRT Reply with quote
How secure is ddwrt??
Would you say it is more secure than stock firmware??

For instance the latest Asus firmware
Still runs 2.4x kernel while ddwrt runs on 4.4x kernel.

Are there any known vulnerabilities that can be exploited on ddwrt??
Just curious.

_________________
ASUS RT-AC68U (R/AP) Merlin 384.19
ASUS RT-AC68U r44236 AP/Bridge
ASUS RT-AC68U FT 2020.5 Bridge
WRT54GL 1.1 r44236-std (old faithful)
Linksys E1200v2 r43266 (sleeping)
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3796
Location: UK, London, just across the river..

PostPosted: Mon Jul 13, 2020 20:00    Post subject: Reply with quote
apart of miss-configuration...DD-WRT suppose to be a
secure enough...safer, better than the stock..

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44251 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 444406 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44340 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44340 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44340 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7203
Location: Texas, USA

PostPosted: Mon Jul 13, 2020 20:22    Post subject: Reply with quote
2.6.36.4 for the antique Asus models* The newer ones are using a much newer kernel than that, if I'm not mistaken.

Back to topic, I have not found anything of significance that can be exploited in DD-WRT out of the box with default configurations.

* - save and except for the WRT54* series linksys clones.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 930
Location: Appalachian mountains, USA

PostPosted: Tue Jul 14, 2020 16:12    Post subject: Reply with quote
See recent study https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf for the linux kernel versions used by 116 consumer routers. Kernel version numbers ranged from 2.4.20 to 4.4.60 with half of them at 3.10.14 or earlier. Pathetic.

You can see what version your dd-wrt is running with "cat /proc/version" in the CLI. I run build 42926 from April 2020 and am on version 4.9.219 of the linux kernel. I have a friend using 40009 from June 2019, and he checked and was on a 4.9.X kernel also. (I've lost the note so don't know X.)

That should tell you something about how serious the dd-wrt developers are about security compared to the writers of OEM firmware. I've seen claims that the latter writers are often hired off the street and shoved into these projects without knowing a thing about routers or networking and that they mostly just copy code from older projects. dd-wrt, however, has been in continuous development for over 15 years I believe, and the current lead developer "BrainSlayer" (Sebastian Gottschall in the real world), has been there most or all (google is your friend) of that time. Continuity and depth of knowledge on the very complex code in a router is really important.

Opinion alert: If you think about it, its really, really expensive to develop solid software on a project as incredibly complex as a modern router, and consumer routers will never sell for high enough prices to pay for that. OEM firmware is pretty much guaranteed to be junk. Business routers do better, but then they cost 2x as much and upward from there.

_________________
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7203
Location: Texas, USA

PostPosted: Tue Jul 14, 2020 16:25    Post subject: Reply with quote
I have some ongoing patching to 2.6 thanks to RHEL 6. Once they discontinue extended ongoing support for that kernel, then it will be time to look into options. Kernel version is negligible, if patches are back-ported. Also, you can't exploit something if the code isn't in the kernel. Sometimes, CVE reports are erroneous as to what they apply to. Also, a router is not a server or PC (in most cases). If someone is that bent on hijacking a router for dubious purposes, then there's a much larger problem. As with system administration, proactive administration of your routers is as important as security patches.

I was hesitant to include this in my previous comment for fear some folks might give me grief. Twisted Evil

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 930
Location: Appalachian mountains, USA

PostPosted: Tue Jul 14, 2020 17:08    Post subject: Reply with quote
Indeed, kp69, indeed.

Also, let us keep in mind that most router attacks go after the easy targets like idiots who leave the admin gui easily accessible with a default or pointless password (think 123456). There are plenty of easy ways to be stupid. The fancy hacking tricks one reads about in CVEs... how common are they really?

That said, dd-wrt users tend to be people who pay attention to their configs and try to do things right. That immediately makes them not worth the trouble to most mass-attack router hackers.

None of that means, of course, that we as dd-wrt people won't go the extra mile. I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."

_________________
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7203
Location: Texas, USA

PostPosted: Tue Jul 14, 2020 17:10    Post subject: Reply with quote
SurprisedItWorks wrote:
I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."


A one-finger salute? Laughing

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
foz111
DD-WRT User


Joined: 01 Oct 2017
Posts: 325
Location: Earth

PostPosted: Tue Jul 14, 2020 18:01    Post subject: Reply with quote
Like Laughing

kernel-panic69 wrote:
SurprisedItWorks wrote:
I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."


A one-finger salute? Laughing
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3796
Location: UK, London, just across the river..

PostPosted: Tue Jul 14, 2020 19:28    Post subject: Reply with quote
just to blur the water...

ppp buffer overflow vulnerability (CVE-2020-8597)
libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)
Opkg susceptible to MITM (CVE-2020-7982)
uhttpd invalid data access via HTTP POST request (CVE-2019-19945)
ustream-ssl information disclosure (CVE-2019-5101, CVE-2019-5102)

as you can see those animals exists...
so, nothing is secure, as along it uses foreign binaries...that might be the door to the rave...
but BS does patches for those as soon as possible, whenever its possible... Rolling Eyes
will not comment if stock firmware is patched at all...the guys above explained it...and that's the reason y ppl
use/choose 3rd party router firmware's...
as long as kernel is concerned, there are enterprise hardware's, still incorporating old kernels...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44251 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 444406 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44340 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44340 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44340 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum