[LEDE-DEV] Stability & release plans -- CVE-2016-5195
Alberto Bursi
alberto.bursi at outlook.it
Sat Oct 29 03:10:18 PDT 2016
On 10/29/2016 03:18 AM, J Mo wrote:
>
> On 10/28/2016 11:39 AM, yanosz wrote:
>> 1. I'm unhappy with the state of OpenWRT at the moment. I see some
>> trouble in building and releasing. The current code base has some bugs.
>> I'ven't seen a fix for "mad cow" yet. For me it is hard to estimate
>> whether OpenWRT is able to include, build and release critical patches
>> over the next months in a timely fashion.
>
> My impression is that CVE-2016-5195 (also known by it's marketing name
> for low-intellect individuals as "dirty COW") is mostly a non-issue on
> OpenWRT/LEDE. This is why you have not heard much about a response for it.
>
> The exploit is a privilege escalation. However, almost everything on a
> standard LEDE/OpenWRT system already runs as root anyway, since these
> kinds of systems are not designed for multi-user scenarios.
>
Uhm, I think you are wrong.
In OpenWRT/LEDE applications that don't need root access are run as
unprivileged users for security reasons, so yes, a privilege escalation
is BAD also for OpenWRT/LEDE.
root at lede:/# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
And for LEDE the answer to the vulnerability was "finish the porting to
latest kernel 4.4 for all devices ASAP as that kernel is a LTS kernel so
it received the fix upstream, and apply patches to other kernels", see
these mailing list posts:
http://lists.infradead.org/pipermail/lede-dev/2016-October/003579.html
http://lists.infradead.org/pipermail/lede-dev/2016-October/003580.html
So current LEDE is already protected, I don't know if this stuff also
ends in OpenWRT.
-Alberto
More information about the Lede-dev
mailing list