Security posture of DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
MysticGold04
DD-WRT User


Joined: 20 Apr 2018
Posts: 174
Location: Somewhere remote

PostPosted: Mon Jul 13, 2020 19:37    Post subject: Security posture of DD-WRT Reply with quote
How secure is ddwrt??
Would you say it is more secure than stock firmware??

For instance the latest Asus firmware
Still runs 2.4x kernel while ddwrt runs on 4.4x kernel.

Are there any known vulnerabilities that can be exploited on ddwrt??
Just curious.

_________________
ASUS RT-AC3100 AP Merlin 386.12_4
ASUS RT-AC68U Media Bridge/Merlin 386.12_4 (x2)
ASUS RT-AC68U AP r54604
ASUS RT-AC68U Gateway/AP r54604
Edgerouter-4, v2.0.9-hotfix7
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Jul 13, 2020 20:00    Post subject: Reply with quote
apart of miss-configuration...DD-WRT suppose to be a
secure enough...safer, better than the stock..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Jul 13, 2020 20:22    Post subject: Reply with quote
2.6.36.4 for the antique Asus models* The newer ones are using a much newer kernel than that, if I'm not mistaken.

Back to topic, I have not found anything of significance that can be exploited in DD-WRT out of the box with default configurations.

* - save and except for the WRT54* series linksys clones.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Jul 14, 2020 16:12    Post subject: Reply with quote
See recent study https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf for the linux kernel versions used by 116 consumer routers. Kernel version numbers ranged from 2.4.20 to 4.4.60 with half of them at 3.10.14 or earlier. Pathetic.

You can see what version your dd-wrt is running with "cat /proc/version" in the CLI. I run build 42926 from April 2020 and am on version 4.9.219 of the linux kernel. I have a friend using 40009 from June 2019, and he checked and was on a 4.9.X kernel also. (I've lost the note so don't know X.)

That should tell you something about how serious the dd-wrt developers are about security compared to the writers of OEM firmware. I've seen claims that the latter writers are often hired off the street and shoved into these projects without knowing a thing about routers or networking and that they mostly just copy code from older projects. dd-wrt, however, has been in continuous development for over 15 years I believe, and the current lead developer "BrainSlayer" (Sebastian Gottschall in the real world), has been there most or all (google is your friend) of that time. Continuity and depth of knowledge on the very complex code in a router is really important.

Opinion alert: If you think about it, its really, really expensive to develop solid software on a project as incredibly complex as a modern router, and consumer routers will never sell for high enough prices to pay for that. OEM firmware is pretty much guaranteed to be junk. Business routers do better, but then they cost 2x as much and upward from there.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Jul 14, 2020 16:25    Post subject: Reply with quote
I have some ongoing patching to 2.6 thanks to RHEL 6. Once they discontinue extended ongoing support for that kernel, then it will be time to look into options. Kernel version is negligible, if patches are back-ported. Also, you can't exploit something if the code isn't in the kernel. Sometimes, CVE reports are erroneous as to what they apply to. Also, a router is not a server or PC (in most cases). If someone is that bent on hijacking a router for dubious purposes, then there's a much larger problem. As with system administration, proactive administration of your routers is as important as security patches.

I was hesitant to include this in my previous comment for fear some folks might give me grief. Twisted Evil

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Jul 14, 2020 17:08    Post subject: Reply with quote
Indeed, kp69, indeed.

Also, let us keep in mind that most router attacks go after the easy targets like idiots who leave the admin gui easily accessible with a default or pointless password (think 123456). There are plenty of easy ways to be stupid. The fancy hacking tricks one reads about in CVEs... how common are they really?

That said, dd-wrt users tend to be people who pay attention to their configs and try to do things right. That immediately makes them not worth the trouble to most mass-attack router hackers.

None of that means, of course, that we as dd-wrt people won't go the extra mile. I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Jul 14, 2020 17:10    Post subject: Reply with quote
SurprisedItWorks wrote:
I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."


A one-finger salute? Laughing

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Tue Jul 14, 2020 18:01    Post subject: Reply with quote
Like Laughing

kernel-panic69 wrote:
SurprisedItWorks wrote:
I have an emoji in my most-used SSID just to say to drive-by wifi-hacking trucks, "This is not the router you are looking for."


A one-finger salute? Laughing
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Jul 14, 2020 19:28    Post subject: Reply with quote
just to blur the water...

ppp buffer overflow vulnerability (CVE-2020-8597)
libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)
Opkg susceptible to MITM (CVE-2020-7982)
uhttpd invalid data access via HTTP POST request (CVE-2019-19945)
ustream-ssl information disclosure (CVE-2019-5101, CVE-2019-5102)

as you can see those animals exists...
so, nothing is secure, as along it uses foreign binaries...that might be the door to the rave...
but BS does patches for those as soon as possible, whenever its possible... Rolling Eyes
will not comment if stock firmware is patched at all...the guys above explained it...and that's the reason y ppl
use/choose 3rd party router firmware's...
as long as kernel is concerned, there are enterprise hardware's, still incorporating old kernels...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum