New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: information disclosure to unauthenticated guest #3766
Comments
|
It is trivial to probe installed packages by checking http://routerip/luci-static/resources/view/ or by checking the strings contained in the translation feed, therefor there is no security benefit in hiding the menu tree. |
Doesn't seem that way, i just double-checked with Adblock plugin installed:
We are not discussing security through obscurity here: hidden or not the menu tree should not disclose this information to unauthenticated users. |
|
I cannot ship new openwrt + LuCI builds until this issue gets addressed properly, i kindly ask you to reconsider and reopen this ticket. |
You can easily change it in your own builds "for shipping". |
|
Thank you for pointing the faulty commit, i'm going to strip that patch from my builds until this gets addresses, though since it is such a small change it seems trivial to revert it on the master branch. |
|
Note that it is related to translation, as discussed in #3563 With normal untranslated English you should have not trouble with that reverted. |
|
It is bad enough that the issue was already reported 2 months ago and hasn't been addressed yet but
is even more worrying. |
|
If you need to hide static resources from the server for unauthenticated users, consider switching to HTTP basic authentication. Hiding (as in not rendering) the menu tree for unauthenticated users is security by obscurity at its best. Also Adblock will be easily identifiable once https://forum.openwrt.org/t/adblock-4-pre-releases/57101 lands, even if menu rendering is disabled. |
|
So this is, at the very least, the third issue pointing out the security implications regarding that commit. You have to acknowledge this fact. I also don't buy the whole "Even if the menu is hidden you can still obtain that information easily, it provides zero security benefit" argument. This is not true at all for any product taking security seriously. I thought openwrt was one of those products, but maybe i was wrong. |
|
You failed to point out the actual security implications. What are are the security implications of knowing which packages are installed? |
|
|
https://www.cvedetails.com/vulnerability-list/cweid-200/vulnerabilities.html for a list of CVEs assigned (spoiler alert: there are a lot) |
|
If your threat profile requires you to hide that information, you need to switch HTTP basic authentication to prevent any access to static assets. You can also revert that commit if it increases your perceived security. Note that any package installing static assets (CSS files, icons, JavaScript resources) will be easily identifiable, regardless of whether the menu is rendered or not. Further information can be obtained by checking the cache buster strings which reveal the version of LuCI running. Further techniques are fingerprinting the translation feed or even the markup or CSS files themselves to deduce information. |
This hasn't been needed until now and is a clear POLA violation. This should be documented https://openwrt.org/docs/guide-user/luci/luci.secure.
If this is true (i did not find any traces of "adblock" in "/luci-static/") it should be documented https://openwrt.org/docs/guide-user/luci/luci.secure
This is all true and things should be clearly improved to harden the system against fingerprinting but doesn't change the fact that commit introduced a security issue which was not present before. I kindly ask you to revert that commit. |
|
I am not going to revert that commit. |
|
I am going to ask MITRE for a CVE. |
|
Feel free to. |
|
I commented all other duplicated bugs. Yes this is bug. |
|
A CVE with a "medium" severity score has been assigned by MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10871 |
|
Good point. Bugs should be fixed. And some bugs are really UGLY like that commit. |
I don't want to reveal anything unique or identifying about anyone. The less we share, in any way, the better. Were it not useful for troublesome situations, and helpful to a network's admin/users, it'd be best to disguise the router software entirely. If someone hits a router and can't even identify it as OpenWRT, let alone using luci, or it if presented even another platform, one could mislead attackers -- that would be a benefit. Make no mistake. The phrase "Security through obscurity is no security at all" is a misquoted and misleading catchphrase that gets into peoples' minds like a virus. Obscurity is another level of protection used across nature, military, etc. Were it a bad idea, nobody would ever use camouflage. The camouflaged tank is safer. The delicate router with the package with the Zero-day exploit, that is announcing it has that package, is Eve's easy target. And remember, it's not just about the hardness of the security, but the divulging of unique characteristics. Bob, presenting his uniqueness, is more likely for Eve to recognize him amongst the crowd. You never know the creative and destructive ways information will be exploited. |

Recent openwrt builds show the administration menu to unauthenticated guests: an attacker would be able to know the presence of installed packages and services on the box.
version banner: Powered by LuCI Master (git-20.078.22902-0ed0d42) / OpenWrt SNAPSHOT r12643-213250b56b
The text was updated successfully, but these errors were encountered: