OpenWrt version visible before login

Hello,
it's some month that i use Openwrt on all my routers.
In every install, the software version is visible before the login. I think that this is a potential security issue for people that are not upgrading every single version or that have versions with known bugs.

What do you think about that? Any way to remove this info from the login screen?

Bye!

That info is only displayed upon a successful login. No risk.

It's visible on my login screen and I agree with @yells, it's unnecessary information leakage:

I assumed the OP was talking about via ssh. I do not recommend exposing luci to the WAN. If you must, consider tunneling http through ssh.

With this setup, you minimize the risk of LuCI webserver being brute-forced and prevent unauthorized access to LuCI web interface, as long as your SSH setup is secure (disabling password and using only public key authentication)

1 Like

This isn't an real issue. An attacker would use/have a set of known vulnerabilities for a given target. He would aim for easy targets like open ports/services first.
On top of that: LuCI is by default not reachable from WAN/outside LAN. If an attacker can reach LuCI he is inside the LAN already! If an attacker is acting from inside your LAN you are already lost. :wink: Don't make LuCI reachable over WAN!

1 Like

You can also deduce the running version from the translation feeds, the CSS, the layout, whitespace and indentation of the markup, the webserver response times and TLS cipher selection, the ETags and Content-Length headers of fetched resources, the contents of pictures as well as the contents and modification times of directory listings.

In short, hiding the version only slightly complicates version discovery. Apart from that, exploit candidates against potential vulnerabilities in OpenWrt will likely be executed in a brute-force manner and not rely on any previous version detection.

Still if you feel that hiding static assets etc. pre-login increases your security, you can enable HTTP basic authentication using this command:

echo '/:root:$p$root' > /etc/httpd.conf && /etc/init.d/uhttpd restart

Only downside is that you cannot logout of LuCI anymore since your browser will always send the login credentials throughout the lifetime of your browser session.

To revert the change, run rm -f /etc/httpd.conf && /etc/init.d/uhttpd restart

5 Likes

Thanks! This was very interesting to me.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.