Critical Flaw Discovered In DD-WRT 225
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
This is a common stack in wifi APs (Score:2, Insightful)
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
Standard Practices (Score:4, Insightful)
I was wondering: How can this attack be carried out if the external web management is turned off? From the article:
Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.
The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....
Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.
Re:This is a common stack in wifi APs (Score:5, Insightful)
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
2. Do you think DD-WRT was really all that much more susceptible to having a flaw than, say, something from Cisco? Or, by the same thought process, do you think open source Linux is inherently more vulnerable than Windows?
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.
Re:This is a common stack in wifi APs (Score:3, Insightful)
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
What is the likelihood of any flaw on any system getting patched? I don't see how a vulnerability in DD-WRT is any different than if Cisco announced a major vulnerability in one of their systems. I bet just about the same percentage would be patched.
Re:This is a common stack in wifi APs (Score:5, Insightful)
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
As opposed to using the base software from Linksys/Cisco where you don't know where the flaws lie, and if someone figures it out, it rarely ever gets published on the web openly or gets fixed soon enough in a firmware update. How is that different ? At least if you use Linux, you have people who care, and only people who care about their networks or improved experience with their routers use DD-WRT/OpenWRT/Other in the first place. Most just use the default software on their routers, which remains unpatched for a large portion of its use if at all.
Re:This is a common stack in wifi APs (Score:2, Insightful)
If you had a PIX, Sonicwall, Monowall, Linksys, Netgear etc.. router and it had a similar flaw, you would be equally screwed because you still have to fix it. I hope you don't think using those products is 100% risk free and that they never need patched/updated.
It doesn't matter if 1000 people are using [Router_X] or 100 million people are using it. This type of flaw on your equipment is not safer, better, worse, or any less of a flaw or risk to you and your network regardless of the overall penetration of that router in the field. Would you honestly feel safer and feel your network is better protected if you were using a different brand router and it had a similar flaw?
Re:Does this affect the non-wireless router? (Score:1, Insightful)
Re:This is a common stack in wifi APs (Score:3, Insightful)
What you're advocating, in a round about way, is security through obscurity.
Security through obscurity doesn't work.
All security through obscurity does is propagate a false sense of security that you're safe because you've not heard any major news headlines telling you that you're vulnerable... meanwhile, you've been rooted for 3 months.
Re:it sucks...but (Score:2, Insightful)
Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.
Exactly - that's the same reason why there are so many malware authors targetting Apache!
Oh wait..
Re:This is a common stack in wifi APs (Score:5, Insightful)
If you read the comments on NewEgg.com for that router model, not everyone mentions DD-WRT. Some use other 3rd party firmwares like Tomato or Open-WRT or custom builds. And believe it or not, some even write a positive review for the default factory firmware. The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys. BitTorrent crashes these small memory models often.
http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_and_revisions [wikipedia.org]
Re:Linksys suck (Score:3, Insightful)
Feel free to hate Linksys for any of the other reasons. I was royally pissed off for a long time by the relentless router reboots caused by poor interaction between the logging mechanism and BitTorrent; thankfully they released fixed firmware for that a few years ago. But I'm not going to drop them just because they overuse Flash.
Re:Does this affect the non-wireless router? (Score:3, Insightful)
Re:Mod Parent Up (Score:3, Insightful)
If people just disabled remote admin (which you should do anyway) and used different router IPs (e.g. not 192.168.1.1 or the usual), then attackers either need to do additional stuff to figure out what your default gateway is (and thus presumably your router IP), or they need to have significant control of a PC attached to the internal network (and presumably able to access the router webpage).
Re:Mod Parent Up (Score:2, Insightful)
I'll also agree that people should change the subnet that their network uses, but if they already have "significant control" of a PC on the network, then what's the point in going after the router?
Re:This is a common stack in wifi APs (Score:1, Insightful)
You obviously didn't get what he said. Homogeny means that everyone uses the same software. A single flaw makes everyone vulnerable. As opposed to where people use 10 different products you need 10 flaws to hit everyone. Additionally the chance of on of these hacks to work on a randomly selected router would be a lot lower.
It is not about open source vs. closed source.
Re:How did this happen? (Score:4, Insightful)
It's one of the reasons I don't use DD-WRT. For an Internet-facing security device, the author seems to have little regard for security.
Also, the firmware isn't really open source and the author is a humongous hypocrite.
Use Tomato [polarcloud.com] or OpenWRT [openwrt.org].