Re: [WLANware] NAT Slipstreaming (CVE-2020-28041)

Zur Gruppenliste Beantworten 
Betreff: Re: [WLANware] NAT Slipstreaming (CVE-2020-28041)
Von: daniel@makrotopia.org (Daniel Golle)
Gruppen: freifunk.de.wlanware
Organisation: Newsserver Weimarnetz e. V.
Datum: 04. Nov 2020, 02:24:14
We've discussed this on the IRC channel on the same day, see
https://freenode.irclog.whitequark.org/openwrt-devel/2020-11-02#28272739

Summary:
The attack is based on a proprietary kernel module which is not
included in official OpenWrt (Linux 2.6.36.4brcmarm+, offending
module is called tdts.ko).
Any recent version of OpenWrt is fine as even if other similarly
vulnerable nat-extra modules were installed, they would not be
assigned automatically.

Nobody should still be using EOL'ed OpenWrt with Kernel as old as
4.7 (that'd be LEDE 17.01 running Linux 4.4, OpenWrt 18.06 is running
a mix of 4.9 and 4.14, depending on the target). So in case you
haven't updated your router in 3 years, please do so now if you want
to make sure your users to accidentally open ports by visiting a
malicious website. To the best of my knowledge you would still not
be affected, as vanilla Linux' NAT helpers are always only snooping
on specific ports and would not be triggered by something happening
on port 80. But to be sure, update to at least OpenWrt 18.06.

If you are using proprietary firmware on your gateway running
Linux 2.6, well, you most likely got some more problems....


On Wed, Nov 04, 2020 at 12:30:30AM +0100, Saverio Proto wrote:
Hello,

I apologize for cross posting.

on 31.10.2020 this new attack was released:
https://github.com/samyk/slipstream

I am not 100% OpenWrt is vulnerable. It is also hard to say because
the Kernel Version depends on the OpenWrt target.

What are common values for:
$ uname -a
and
$ cat /proc/sys/net/netfilter/nf_conntrack_helper

?

I tried to propose this PR, but I am not sure it is the correct way to
patch OpenWrt to fix this.

https://github.com/openwrt/openwrt/pull/3564

is anyone else working on this ?

my 2 cents

thanks

Saverio
_______________________________________________
WLANware mailing list
WLANware@freifunk.net
Abonnement abbestellen? -> https://lists.freifunk.net/mailman/listinfo/wlanware-freifunk.net

Weitere Infos zu den freifunk.net Mailinglisten und zur An- und Abmeldung unter http://freifunk.net/mailinglisten


Datum Thema  Autor
04.11. o Re: [WLANware] NAT Slipstreaming (CVE-2020-28041)Daniel Golle

"News-Portal" was written by Florian Amrhein.