[OpenWrt-Devel] Did they check security of OpenWrt?

Dmitry Tunin hanipouspilot at gmail.com
Tue Aug 20 11:58:53 EDT 2019


Rich,

OpenWrt is a Linux distro. It has all security as any other one. All
CVE are timely addressed.
There is no need for special tests.

вт, 20 авг. 2019 г. в 18:34, Rich Brown <richb.hanover at gmail.com>:
>
> Hi Vincent,
>
> I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
>
> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
>
> - Stack Guards
> - ASLR
> - RELRO
> - Fortify SRC
> - Non-Exec Stack
>
> And are there other security practices that we enforce that would make an OpenWrt system more secure?
>
> If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report...
>
> Thanks.
>
> Rich
>
> > On Aug 20, 2019, at 9:43 AM, Vincent Wiemann <vincent.wiemann at ironai.com> wrote:
> >
> > Hi Rich,
> >
> > the article is a joke. I'm not talking about the researchers, but about citing a statement like:
> > „However, those same firmware binaries did not employ other common security
> > features like ASLR or stack guards, or did so only rarely,“
> >
> > Look at the source-code of the mentioned vendors. They partially use 18 years old kernel code and
> > Telnet-like management interfaces.
> >
> > Regards,
> >
> > Vincent
> >
> >
> > On 20.08.19 13:21, Rich Brown wrote:
> >> Hi folks,
> >>
> >> You've probably seen the Slashdot article about (lack of) security gains in router firmware. https://yro.slashdot.org/story/19/08/16/2050219/huge-survey-of-firmware-finds-no-security-gains-in-15-years The original article on Security Ledger is at: https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/
> >>
> >> Two questions:
> >>
> >> 1) Does anyone know if the researchers looked at OpenWrt?
> >>
> >> 2) If not, how would OpenWrt stable or snapshot have fared in the analysis? Do we enable stack guards, ASLR, etc. on all builds?
> >>
> >> Thanks.
> >>
> >> Rich
> >> _______________________________________________
> >> openwrt-devel mailing list
> >> openwrt-devel at lists.openwrt.org
> >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list