Is LEDE affected by this? (VPN Filter exploit)

Is the LEDE codebase affected by the so-called "VPN Filter" exploits described by this article?

1 Like

See CERT Advisory: VPNFilter Destructive Malware for current status.

(Right now, the answer is "unknown" for current releases and "quite possible" for older releases, but not enough technical details to know for either.)

1 Like

I'm not sure about the codebase; but none of the currently-known ports used as initial "scout vectors" are opened on WAN by default.

1 Like

Just read that article, too! Scary stuff! I guess if we're not sure, just reboot!

If you're not sure:

  • Save the config
  • Flash a known-good copy of the firmware from the downloads site
  • Manually restore configs by visually comparing the text files in the TAR

This malware's Phase 1 is persistent and has been observed to survive a reboot.

1 Like

The part about the configs is a bit paranoid. The /etc/config folder should have absolutely nothing to do with the infection.

Unless the executable binary is added to /etc/config.