[OpenWrt-Devel] Building OpenWRT static kernels
Jean-Michel Pouré - GOOZE
jmpoure at gooze.eu
Mon Mar 23 13:55:16 EDT 2015
> you would be horrified to look under the covers of most linux based
> appliances,
> a lot of them are running a stock redhat/centos install with very
> little
> customization outside of the userspace app that they run. Gaping
> security holes
> in such appliances are common.
Yes, I agree with you.
For example, DLink DGS-1210 products revision A1 are running a very old
2.6 Linux kernel and it could be very easy to penetrate, especially
because no update is done on the firmware. All source code is available,
so it is a matter of days before you understand how to break in. You
probably only need to look at OpenSSL vulnerability list ...
On the converse, we may discuss attack surface : a static kernel can
have a very low attack surface. When it includes GrSec, it can become
very difficult to penetrate. Hopefully ... DLink appliances are using
GrSec.
With current OpenWRT configuration, the attack would be Luci => Kernel
module. I wonder if specialized companies offer "on the shelf"
penetration tools for OpenWRT, but it would not be surprising.
IMHO, with current penetration tools, not using GrSec or a static kernel
or both is simply too low.
Kind regards,
Gnutella
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list