[sf-lug] Monday meeting and Bobbie Sellers' news
Rick Moen
rick at linuxmafia.com
Sun Apr 15 22:59:11 PDT 2018
Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
> The only difference between having any non-modem functionality and not
> is software.
Yes, I understand that.
Having a residential gateway with just about everything but the modem
functionality disabled is probably fine. It just strikes me that the
best way to ensure it cannot be part of the attack surfaces is for it to
not be there in the first place. And the fact that you can in theory
load a different set of software onto a residential gateway matters, but
only if you can and will do that.
Also, if I were shopping for a (true) DSL modem, a device that can be
made to emulate one by disabling a big list of firmware-based functions
would not be my top choice.
> Take the previously mentioned Netgear DM200 for example:
> It's a modem, and it's not designed to have non-modem functionality, but
> reflashed with OpenWrt, it's a full wired router, just short on Ethernet
> connectors.
After reflashing with OpenWRT, it could be trivially configured to run
only the functions actually needed. With a little more work, as an
additional security precaution, unused system software can be removed or
at least stripped of elevated privilege. (SUID-root binaries are a
security risk on a system even if you don't intend to run them, as they
might be usable by attackers to elevate privilege.)
> Similarly, the DG834G in bridge mode will have no non-modem
> functionality aside from a Fast Ethernet switch.
The Netgear DG834G default preload is a Linux distro, right? ISTR it's
this stuff:
https://kb.netgear.com/2649/NETGEAR-Open-Source-Code-for-Programmers-GPL
So, if you put that distro in 'bridge mode', yes, you have a reduced
attack surface, but (my point) you still have a boatload of now-unused
system software, some of it probably sitting there usable as a privilege
escalation path by attackers who find a way to spawn a local process.
In that sense, it would be more bettah' for that software to not be
there.
More information about the sf-lug
mailing list