[qGUBcZWwBHb1]

I've mentioned this several times in the past but I'm now posting a scan using Nexpose to show the vulnerabilities identified.

Until these are addressed, do not assume that DDWRT is secure.

It's really too bad since these are mostly easily implemented configuration changes. Let the devs know if this matters to you.

[<Kong>]

[qGUBcZWwBHb1]

Challenge accepted.

The following is tested against your r30430M build. Just installed tonight.

The tool used is https://testssl.sh . You can use this to verify the output yourself.

Output can be seen here. http://pastebin.com/Lmk3BGTY

Let's go through what is wrong:

1. TLSv1.0 and TLSv1.1 are offered. This isn't ideal. TLSv1.2 is the only one considered secure. See last paragraph https://www.imperialviolet.org/2014/12/08/poodleagain.html
2. 3DES ciphers offered. Not recommended
3. Self-signed cert still uses deprecated SHA1
4. Secure Client-Initiated Renegotiation - Vulnerable
5. CRIME, TLS (CVE-2012-4929) - Vulnerable
6. Missing HTTP security headers. See securityheaders.io
7. Things like HSTS, X-Content-Type-Options, Content-Security-Policy, X-Frame-Options, X-XSS-Protection at a minimum
8. BEAST (CVE-2011-3389) - Vulnerable. Bad ciphers: DES-CBC3-SHA AES128-SHA AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
9. Only forward secret ciphers should be used
10. The DNS amplification attacks are real but have limited mitigation due to how dnsmasq is used. At a minimum, the following flags should be included: --local-service -z

Do not blindly assume that simply enabling AES means you are secure. That is completely untrue.

Ball is in your court. I'm happy to help if you are willing to listen.

[HalfBit]

[qGUBcZWwBHb1]

You aren't the only one that does infosec =) If I were to take your comments at face value, not dealing with EXTRABACON etc. because they are "corner cases" would be the norm (don't you trust your ASA?). Yeah, no.

I, for one want to improve the tools that I use and not accept the status quo. Trust but verify and all that good stuff.

Read my comment again, I'm offering to help get these fixed whereas your comment about just going back to stock firmware is frankly not very useful.

PS. there's a reason why server side cipher selection is preferred.
PPS. R7000.

[HalfBit]

Glad you took my facetious comments, and band-aid solutions/suggestions well. Have you tested stock FW at all?

[Avichi]

..I am one of them , I posted a comment yesterday http://www.dd-wrt.com/phpBB2/viewtopic.php?t=303763 about the [DoS attack: ACK Scan] and [DoS attack: FIN Scan] etc on my new Netgear R6900, so I went and posted it and replaced it with R7000, guess what we have the same problem, I have the similar attack on R7000, now I know DD-WRT I was able to run some scripts and protect my firewall. The firmware does not allow that, I am not aware of any way this is can be done, after google search , I found out that Netgear has this problem and people have complained about the Factory default firmware. I am not sure it is specific to Netgear R7000 or many other brand names.

R7000 logs
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [216.58.216.36], Friday, Aug 19,2016 12:54:42
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [216.58.217.196], Friday, Aug 19,2016 08:40:28
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [216.58.219.46], Thursday, Aug 18,2016 20:19:18


I am sure you two gentleman and Kong and BS could shed some light to the million sof DD-WRT users who adore the work they do for the community, I understand they may not be "Perfect", why cannot all three of you join forces to the help the less fortunate and handicapped (Intellectually)

Thank in advance,

Avi

[<Kong>]

[Avichi]

Kong, Thanks for the reply, this is exactly what I mentioned when I said the issue could be stemming from the "Older versions" of kernel, and additional features. upstream developers.

I wish I could send my little contribution to BS , as I think your contributions to community is very critical for "less intellectually capable" like me. Please let me know how I send my modest contribution, I feel I owe you for the software BS developed for E3000 for past 6 years and I started using your version about 2 months back.

Einstein said it best Ego=1/Knowledge i.e "More the Knowledge Lesser the Ego,Lesser the Knowledge More the Ego"

I think DD-WRT community has well intended people who want to help, i think there many newbie (including me) who need to reduce the left side of the equation.

[qGUBcZWwBHb1]

Kong, as mentioned, most of the issues are config related issues and not source related so there's really nothing for upstream to fix other than shipping better factory defaults.

IIRC, I did open issues in the bug tracker a while ago. I'll see if I can find them again and post them here.

BTW, I did rerun with Nexpose again and found the following. Interestingly, curl returns a "(52) Empty reply from server"

MOD EDIT: Image too big for this forum. It makes posts impossible to read on many monitors. I felt the unreadable comments were more important than this image. Please repost accordance with the forum rules, or cut and paste the results in a post.

[ju2wheels]

Hi, post jacking a bit as I had a similar question I was just looking into. Can we set the TLS version/ciphers we want for the HTTPS management portal in a persistent config file somewhere or is that baked into the build?

Based on Kongs comment above it almost sounds like its baked into the build but want to double check.

Thanks,

[Alozaros]

[RMerlin]

Using a security tool is one thing. Knowing how to use it is another. You have to tailor the tests for the specific target. For example in this case, the tool reports that the router is able to do recursive DNS lookups. Well this is perfectly normal, since the router IS intended to provide resolution services to the LAN. This is a test that should only be run against a public facing, typically authoritative nameserver (which serves specific zones).

From time to time I also have to deal with people sending me a long list of "OMG security holes!" reports spit out by some tool that they ran against my firmware. A first scan at the list typically dismisses 1/3 of the reported "issues" as being "perfectly normal", or "not a problem within a LAN context".

Testing a router requires different tests from testing a public-facing server. And the tests also change based on whether you test from the WAN side, or from the LAN side. Having open SMB ports is perfectly normal on the LAN side. On the WAN side - not so much.

And I concur that the same tests should be run against the stock firmware first, to establish a baseline. Because if DD-WRT comes up with fewer security issues, then it means it's still a better solution than sticking with the OEM firmware. Quite a few of OEM firmwares contain stuff that should keep you awake at night, between the voluntary backdoors and the 10 years old OpenSSL versions they contain.

[barryware]

Wash it down with gasoline (petrol), and dry it with a match.. Problem solved..

[qGUBcZWwBHb1]