I have an OpenWRT network with several clients. One of the clients of the network got severely infected with malware. I don't have visibility on what malware they were (it was a friend who stayed a few days).
Is it possible that malware on the clients installed malware on the OpenWRT router?
Highly unlikely I'd say. Do you have a complex password for openwrt?
You could consider a guest network to isolate visitors, devices that don't need LAN access and untrusted devices.
there are malwares out there targeting routers with exploits in the stock fw, but probably nothing that would affect openwrt devices kept up to date.
I have a complex password, yes.
And I have a guest network, which this device only had access to.
I set up the guest network with option isolate '1', so hopefully that helped in avoiding for the malware on this device to contaminate others.
Ok, that makes sense. Do you have some links on these malware by any chance? It would be good for me to educate myself on that, so that I understand the risk more precisely. For example, I'd like to understand if these malware can contaminate stock fw simply by crafting malicious frames, or if they require access to the admin panel.
something like https://www.pcrisk.com/internet-threat-news/8596-asus-wireless-routers-vulnerable-to-attack-from-local-network
they find holes in the sw running on the router, or holes in the webui, where the logon check isn't working/implemented.
Thanks for that, that makes sense.
With OpenWrt, I feel we have much better control of what services are running on the router, so I feel the attack surface is reduced.
It depends on the malware type and the window of vulnerability.
This may become risky if the malware targets routers and can update its own exploits automatically.
Critical vulnerabilities in BusyBox, Dropbear, uHTTPd leading to arbitrary code execution are not impossible, so it depends on whether you update the firmware before the malware updates its exploits.
A possible solution is moving vulnerable devices to a separate VLAN or SSID with restrictive firewall policy.
Ok, that makes sense. I have set up a separate SSI, with option isolate '1'. Can you please give more details on what you mean by "restrictive firewall policy"?
Apart from compromised systems exploiting potential security issues in the services you're running on the router, it depends on your firewall what kind of access systems on your guest network have in the first place (e.g. luci doesn't generally need to be served to the guest network, ssh neither, to cover the default services - similar considerations apply to addon services).
It's hard (impossible) to judge from the outside what the actual exposure to the malicious system was - and what the risks were, both to the router itself, as well as the other systems attached to it. If you don't want to go the 'safe route' of reflashing/ reinstalling/ reconfiguring 'everything' (down to the last phone, TV, smartplug, etc.), you'd need to do a proper post mortem of the situation - checking where the compromised system could have been attached to and what kind of access it might have gotten; this is hard work, for both options.
Right, that makes sense.
I guess there are two main things to do
Regarding 2, I am trying to figure out what the right approach is to create a truly isolated network, that does not even share the router. I can think of the following options:
Buy a second physical line from my ISP, with a different router. That seems very safe, but I'd be happier finding a simpler solution
Attach a second openwrt Router to the ISP router.
Is that possible? Can an ISP router do bridge mode for 2 clients?
If it is possible, I guess one could argue malware could still attack the ISP router, and then infect OpenWrt Router 2 and the secure network.
That seems like the best option. Do you think it is possible?
Aside from having a malware-laden device on your isolated network, what (if any) issues did it cause?
As long as you follow some very basic good practice,, you can do everything you need with a single OpenWRT box:
Only bind the luci web interface and the dropbear SSH listener to a privileged network (i.e. one you don't let guests onto, and definitely not the WAN side). This will require a couple of config file edits to limit access to LUCI - or you could setup a firewall rule for the unprivileged/isolated networks to block access to ports 80 and 443 on the router itself.
Ensure that the only thing that the guest/isolated network can reach is the Internet. Don't forward from the guest/isolated zone to the LAN/privileged.
Other than that, If the incoming fiber is connected to an ONT which you then connect to via the customer port, they will not let you split/splice the fibre to add a separate device. The presentation to you is the downstream port of their CPE; whether you can plugin a switch and have two downstream OpenWRT devices is entirely subject to their Ts&Cs. My cable modem here in the UK allegedly allows me three attached devices, but I've never tried it!
I could not see anything. There's always the fear that there is something hidden somewhere, but there is nothing visible.
Ok, that's interesting. You are quite confident that a locked down openWrt box is very safe?
In my configuration, I simply rejected all input from the untrusted network:
## firewall
config zone
option name 'untrusted_network'
list network 'untrusted_network'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'untrusted_network'
option dest 'wan'
config rule 'untrusted_network_dhcp'
option name 'Allow-DHCP-Untrusted'
option src 'untrusted_network'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
onfig rule 'untrusted_network_dns'
option name 'Allow-DNS-Untrusted'
option src 'untrusted_network'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config redirect 'untrusted_intdns'
option name 'Intercept-DNS-Untrusted_network'
option src 'untrusted_network'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
A few notes:
option Interface 'lan' in dropbear would be redundant with option input 'REJECT' in firewallWith these settings, you think malware on the untrusted, guest network cannot attack the router? The router cannot be attacked via maliciously crafted frames?
Never say never, but in answer to your last question - there have been no CVEs recorded against OpenWRT that result from specially-crafted network traffic. There may be hardware vulnerabilities that are yet to be found, but if you prevent a device from talking directly to any services on an OpenWRT router then you've mitigated >99.9% (or more) of the potential for known attacks at this time. Most of the previous weaknesses that could result in remote code execution have been in the web UI, and there haven't been many of them.
This isn't that specific to OpenWRT, it's just good practice in terms of system management. Only let things you trust have access, and keep that access limited.
That all makes sense, thanks a lot!
One of the things malware tries to leverage in border routers is UPnP services. If you have those disabled, that's one less slot in which it might attempt its prybar.
That makes sense. I have not enabled it.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.