OpenWrt Forum Archive

Topic: Does OpenWrt 15.05.1 need a patch to fix CVE-2016-10229

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Kitin
13 Apr 2017, 13:17

udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.

https://cve.mitre.org/cgi-bin/cvename.c … 2016-10229

Post #2
MagicSimon
13 Apr 2017, 19:53

Since OpenWRT is not developed anymore, I don't think there will be a patch. Use LEDE instead.

Post #3
tapper
13 Apr 2017, 21:17

that cve is in all kernels before 4.5 and lede is on 4.4 so i think that even the newer lede will nede a patch. lede trunk is now up to K4.9

Post #4
SimpleMouse
14 Apr 2017, 11:03

I'm not allowed to post links. I'll still quote a few guys from reddit. Prepend the /r/ with reddit.com

/r/openwrt/comments/657ojg/udp_remote_code_execution_in_linux_45/

The Patch was backported to 4.4.39 released on 2016-12-15, merged to LEDE a day later. So everyone running the stable release or updated to a trunk build this year should be fine.

/r/linux/comments/654xee/udp_remote_code_execution_in_linux_45/dg8fe8v/

the remote attack requires an open UDP port and software which uses the relatively rare MSG_PEEK flag.

If you want code execution rather than just a crash, you also need precise info about the kernel version and a pre-prepared attack. It's certainly not the case that a single packet sprayed across the internet will cause all Linux machines to become pwned.

Local attacks (ie. users which already can login to a machine, and want to upgrade to root), look very viable

Post #5
Vezexe
14 Apr 2017, 14:41

As release LEDE is on 4.4.50 it should be not vulnerable, via this link www dot securityfocus dot com/bid/97397

Post #6
simpz
17 Apr 2017, 07:07
MagicSimon wrote:

Since OpenWRT is not developed anymore, I don't think there will be a patch. Use LEDE instead.

I know there is talk about/plans for a merger, but didn't think this has happened yet?

Any advice for people on OpenWRT to patch this without going through an OS change?

Post #7
MagicSimon
17 Apr 2017, 07:14

Switching to LEDE is not really an OS change, since it is a fork from it. All the basics are the same (installation routine, configuration, luci ...). The difference between LEDE and OpenWRT is similiar as the different versions of OpenWRT. You could just regard LEDE as the latest stable release of OpenWRT.

Post #8
sera
17 Apr 2017, 10:36

The commit exposing the issue was added in 4.2. The fix applies cleanly onto 4.4. Just download and drop the patch below into target/linux/generic/patches-4.4 and build a new image.

https://git.kernel.org/pub/scm/linux/ke … 2abbf93191

As for missionaries, they don't care about you. All that matters is spreading their own made up truth.

The discussion might have continued from here.