Minor ver. update causing extra OpenWrt SSID to appear with no encryption

Topic says it all.
I installed a minor update and, much later, realized that an extra SSID named OpenWrt with NO security was created. Why did this happen? Isn't this a security issue...?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

By default there's an Openwrt SSID shipping with the image, but it's disabled.
Are you sure it wasn't there before the sysupgrade?

1 Like

So now you got me guessing. It may have been there on the initial OpenWrt install but I definitely would've deleted it. Does it get recreated after every upgrade? It was NOT disabled when I noticed it, after a recent minor upgrade.

Sorry, I had already deleted the extra SSID. It was attached to radio1.

ubus call system board

{
        "kernel": "5.10.176",
        "hostname": "SANITIZED",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear R8000 (BCM4709)",
        "board_name": "netgear,r8000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "bcm53xx/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask 'SANITIZED'
        option ip6assign '60'
        option ipaddr 'SANITIZED'
        option ipv6 '0'
        option delegate '0'

config device
        option name 'wan'
        option macaddr 'SANITIZED'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns 'SANITIZED'
        list dns 'SANITIZED'
        option ipv6 '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns 'SANITIZED'
        list dns 'SANITIZED'

config interface 'Guest'
        option proto 'static'
        option ipaddr 'SANITIZED'
        option netmask 'SANITIZED'
        list dns 'SANITIZED'
        list dns 'SANITIZED'


cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option cell_density '2'
        option country 'US'
        option channel '161'
        option htmode 'VHT40'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'SANITIZED'
        option encryption 'psk2'
        option key 'SANITIZED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
        option band '2g'
        option country 'US'
        option cell_density '2'
        option htmode 'HT20'
        option channel '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option isolate '1'
        option network 'Guest'
        option ssid 'SANITIZED'
        option key 'SANITIZED'

config wifi-device 'radio2'
        option type 'mac80211'
        option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
        option band '5g'
        option channel '48'
        option country 'US'
        option cell_density '2'
        option htmode 'VHT40'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'SANITIZED'
        option encryption 'psk2'
        option key 'SANITIZED'


cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'


cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'gueat'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'
        option input 'REJECT'

config forwarding
        option src 'gueat'
        option dest 'wan'

config rule
        option name 'guestDHCP'
        list proto 'udp'
        option src 'gueat'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'guestDNS'
        option src 'gueat'
        option dest_port '53'
        option target 'ACCEPT'

Well, the config files have been over sanitized so it’s impossible to see even the ssids. But, from what is there, I do not even see one called “openwrt” so I’m guessing that it either isn’t there (anymore?), or the op is describing the default state of a system.

1 Like

As I said, I had already deleted the Openwrt SSID. (not sure if you wanted to glean other info from the output)
The concerning issue is that the Openwrt SSID (which wasn't there before the update) was added and NOT automatically disabled after the minor update.

This is more of an FYI - something to look out for in future builds.The OpenWrt team does great work. I'm just giving some feedback.

Thanks!

I had missed that.

The intent was to understand more about your general config -- the closer it is to defaults, the easier it is that this could have been in the config without you realizing it... but it would have been disabled.

I am pretty sure you are the first to report this issue. What was the version you were coming from previously? It seems you upgraded to 22.03.5... do you have a backup of the config from before the upgrade? This can be reviewed (by you and/or us) to see if it was in the config.

And, would you be willing to downgrade, restore the backup (if you have it), and then upgrade again... this would allow an opportunity to try again with the same starting position and see if you can reproduce the problem. And if you can, we can try the same thing -- if it is reproducible, we can figure out what might be going on and/or you can file a bug.

Unfortunately, I can't currently take the router down. I may have a backup from before the update though. I will check this week and post back if I find anything interesting. Thanks.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.