I found
Where exactly mentioned that openwrt also vulnerable to this attacks.
@bruce any plans on implementing fix? Or GL firmware already protected?
This is tool for tests.
Problem is, this is not a real CVE but a bunch of old CVE's arp spoofing is a known one.
Only if a attacker gains access to a wifi ap, it is possible they can become the router by spoofing broadcasts, which is basicly the same as the router feature for drop in gateway.
So airsnitch is not something new.... Or even wifi related.
It is only new that it does something to hostapd isolation, but hostapd isolation isn't already fail proof especially when wired network is combined, wired will be not isolated.
So one of the other solutions are:
What is suggested is using a multi psk per network isolation, this means based on the wpa password you get sent to a vlan network, and with wpa3 also mac addresses are required, so to keep the wildcard ability you are left with wpa2 which isn't a security issue perse.
as replacement for hostapds isolation, use ebtables-nft, a rule looks like:
ebtables --append FORWARD --logical-in br-lan --jump DROP
Please note that ebtables does filter on layer 2 this is exactly where arp posioning and broadcast posioning happens,at this point you can only use bridges, devices will not work.
I made a app for luci for this maybe gl-inet can test it and add it to their repos I no longer maintain it since it is simple.
1 Like
@xize11 thanks! That works!
Than maybe just integrate in official GL firmware? As i know, thay focus on security, so this will be nice addition to their firmware, that will be really unique on routers market.
Who here related to security?
@alzhao ?
Gl team, any comments?
Hi
Thank you for the report. We will ask the R&D team to further evaluate whether there are any specific impacts.
For now, the first two issues do not appear to have any practical impact.:
-
All of these attacks require that a malicious client is already connected to the Wi-Fi network. This “vulnerability” cannot bypass the WPA encryption protection.
-
For the “Abusing GTK group keys” attack, even if GTK reuse allows the attack to occur, the data communication is only one-way—from the malicious client to other legitimate clients. Data sent from legitimate clients to the malicious client would still be isolated, because legitimate clients would not attempt to bypass AP isolation, so the malicious client would not be able to obtain that data.
-
For “Gateway Bouncing”, GL.iNet devices are not affected, because by default the Guest network and Main network are isolated at Layer 3 (IP layer) by the firewall.
1 Like