Does Gl-iNet firmware get timely security updates from OpenWRT?

eric · 2021-02-12T00:30:04.513Z

@Johnex : My point was the only way to know about the dnsmasq issue is to search the forum, as this issue is not pinned to the top of the forum, and the public bug database was taken away awhile ago. There should be a security page, like the one on the OpenWrt forum, to keep all of us informed about known issues, especially security issues.

As there is no easy way to search this forum for all the known security issues with the different version of firmwares that GL iNet has released, such as the two issues I brought up in my post, the only way right now to find them is to read all the forum posts. That is a lot to expect out of a new router owner who may be under the impression that known security issues are quickly fixed or documented.

Johnex · 2021-02-12T00:35:16.681Z

Most router owners get an Asus or something off the shelf that is easy to use. OpenWRT has a learning curve. Most off the shelf routers have kernels from many years ago, and you don’t see updates as fast as GL.

Unfortunately if you want the latest OpenWRT, you need to use Vanilla OpenWRT without the GL UI, since it takes time to test and upgrade all the routers. Users can check their version in Luci, it will always say what OpenWRT you are running, regardless of how many updates, snapshots and patches GL releases on top.

nano · 2021-02-12T00:35:26.072Z

I’m thinking about trying a Turris Omnia just because they seem to stay on top of security updates.

Johnex · 2021-02-12T00:56:03.525Z

Turris is able to update faster as they only have 2 routers based on the same processor family. Their routers also cost many times more than GL routers. You also want to probably look at their EULA, as they send a lot of data back to their servers for processing for a lot of their features.

nano · 2021-02-12T01:03:35.547Z

I am dealing with that dillema, what you said is exactly why I haven’t done it yet. Just offering some options to the OP.

Eli · 2021-02-12T06:49:18.233Z

If someone has installed latest OpenWRT, could you please comment on how is the user experience without GL UI?

Is it difficult to install and update OS, set up and connect VPN, and set up internet access by CL or in LUCI? This is supposed to be used without another UI.

eric · 2021-02-12T07:42:38.227Z

I have run both the OpenWrt 19.07.6 released code and some of the snapshot builds for the upcoming OpenWrt 21.xx code (real bleeding edge stuff) on different GL iNet routers. The OpenWrt GUI LUCI has a steep learning curve, but if you want to do something special with your GL iNet hardware, like adding a second long range external WIFI radio using a USB adapter, it is the only way I have found to do it. The OpenWrt firmware is much smaller then the GL iNet firmware, as you only install the packages you are using. With the OpenWrt firmware you can target the firmware to the problem you are trying to solve. This gives your router a smaller attack vector, as there are less packages installed that may have security issues.

I have about a half dozen different GL iNet routers, doing all different functions for myself and family. Depending on the function, I am either running the GL iNet 3.105 firmware with work-arounds for the dnsmasq bug, or OpenWrt 19.07.6. It is much easier to setup the GL iNet GUI to configure things, as long as you don’t need to play outside the box, and you are willing to work around known bugs. This means reading this forum religiously, as it is the only way to find out about new bugs.

If you want to have the most control and the quickest access to patches for security bugs, go with OpenWrt. It is not that hard to do a simple setup of a GL iNet router with OpenWrt and LUCI. There are several youtube videos showing how to do the initial setup. I have used the GL iNet firmware update page to load the OpenWrt firmware, and I have used the OpenWrt update tool to re-install GL iNet firmware, without having to use uboot. It may not be recommended, but it works and lets me test out both sets of firmware. Try OpenWrt and see how you like it! You can always go back.

If I am using the GL iNet router as a travel router, where I may need to change a bunch of stuff to get it to work with some hotel WIFI, captive login and firewall, I normally use the GL iNet firmware, as its faster to make these changes on the fly, and to reconfigure the VPN client. If I need to do anything special, outside of what the GI iNet team documents, I use the OpenWrt firmware.

TreeDogNight · 2021-02-12T23:20:58.745Z

Thank you all for your help. Especially @eric. I now better understand the limitations of my Gl-iNet device. This part is a little bit heart-breaking:

“As there is no easy way to search this forum for all the known security issues with the different version of firmwares that GL iNet has released, such as the two issues I brought up in my post, the only way right now to find them is to read all the forum posts. That is a lot to expect out of a new router owner who may be under the impression that known security issues are quickly fixed or documented.”

But I also understand Johnex’s point that most other brands of consumer routers are even less secure than Gl-iNet’s. That is surely true.

I cannot spend hours a week reading through GL-iNet’s forums hoping to catch whatever security issues arise from outdated packages (and then studying the issue, and then to take whatever necessary corrective actions). It seems to me then, that regardless of the brand of router, it will cost me the least time OVERALL if I simply install OpenWRT at the beginning, and to keep that timely updated, so that I do not have to familiarize myself over and over with security issues. This despite the fact that OpenWRT/luci’s initial setup time is much more difficult than GL-iNet’s. I don’t want OpenWRT for its extra power and customizability; rather I simply want it for its timely security updates.

eric · 2021-02-13T01:58:30.996Z

@TreeDogNight Just one more issue to think about if you go the OpenWrt route. Some GL-iNet routers are much better supported by the current stable released 19.07.x OpenWrt firmware, like my GL-AR300M16, and some routers, like my GL.iNet Microuter-N300, the only available OpenWrt firmware is in the daily development snapshot builds which are the test builds for the future 21.xx OpenWrt release. I’m not comfortable running development firmware in production, so at this time, I’m limited on which GL iNet products I will run the OpenWrt firmware on. The GL iNet team does not provide a lot of information on which products run the OpenWrt code best and which are not well supported. You have to read through a bunch of forum posts, both in this forum and in the OpenWrt forum to figure this out.

This is a very helpful page for finding out which version of the OpenWrt firmware will run on your router: https://firmware-selector.openwrt.org/

pingpong · 2021-02-13T19:45:03.375Z

@eric @treedognight Newbie here, too (newbie to GL-iNet, but professionally in the IT bidness) and glad I found this recent thread because I had the same questions about the security of the GL-iNet devices.

Looks like I’ll be loading up a recent stable version of OpenWRT as well. Continuing to use OpenWRT 18.06.1 from Aug of 2018 seems downright…negligent. [1] Roughly 2.5 years of security updates is a loooong time to wait.

I admit the GL-iNet GUI is nice and easy to use, but the OpenWRT GUI isn’t that bad (if you are dedicated enough to already be on this forum, that is). For reference to others who may find this thread, it is located (from the GL-iNet GUI) from “More Settings” then “Advanced,” or directly:

https://yourdevicename/cgi-bin/luci/

[1] Recently grabbed a Mango v2 (GL-MT300N-V2) because it was bewildering to go through their extensive product line, where IMHO there are too many variants that differ by a very small number of features, so I just purchased the Mango for $20 to play around with. Waiting for availability of the Beryl GL-MT1300 to do this “for real” and rip out the almost equally security-negligent other products currently in the household.

Eli · 2021-02-13T20:29:18.380Z

The latest firmware 3.105 that I have comes with a 19. To be fair, it’s not that bad, at least compared to other router companies.

Note that these older versions are probably supported by OpenWRT and might receive security updates. So if glinet uses 18.06 but takes and compiles it recently it’s still fine.

pingpong · 2021-02-13T20:38:40.938Z

For which device? For the Mango I have, the latest is 3.105 (installed a week or so ago, still same version on GL-iNet support site) which is:

OpenWrt 18.06.1, r7258-5eb055306f

??

Eli · 2021-02-13T20:42:30.149Z

I don’t have mine with me (Brume), but from LUCI it was a 19 one. Should double check.

With 18.06 I would be careful, at least about packages.

Johnex · 2021-02-13T21:05:36.367Z

@pingpong
Firmware on 19.0x is under development, but you can try it here:

https://dl.gl-inet.com/firmware/snapshots/3.201_beta1/mt300n-v2/

limbot · 2021-02-13T23:13:25.290Z

pingpong:

[1] Recently grabbed a Mango v2 (GL-MT300N-V2) because it was bewildering to go through their extensive product line, where IMHO there are too many variants that differ by a very small number of features, so I just purchased the Mango for $20 to play around with. Waiting for availability of the Beryl GL-MT1300 to do this “for real” and rip out the almost equally security-negligent other products currently in the household.

Be aware that one of the things that Gl.Inet do with the MT300N-V2 (and the Beryl) is use Mediatek proprietary drivers. OpenWRT native will use open source drivers. Gl.Inet has used the proprietary drivers for “efficiency” reasons and as such you MAY get performance hits on native OpenWRT depending on your requirements.

lorazepam_access · 2022-07-25T17:09:09.836Z

I bought two brand new routers (GL-SF1200) this week and I was shocked to find it runs OpenWRT 18.06

Does this mean my router is vulnerable to this and other (CVEs) security vulnerabilities?

This post is from over a year ago but if I click ‘update’ it states I have the ‘latest’ version of the firmware. Please advise here.

lorazepam_access · 2022-07-26T16:43:29.378Z

Johnex:

Most router owners get an Asus or something off the shelf that is easy to use. OpenWRT has a learning curve. Most off the shelf routers have kernels from many years ago, and you don’t see updates as fast as GL.

Asus was penalized for shipping outdated vulnerable routers (Asusgate case) and not responding to vulnerabilities reported by the community.

I believed the incident cost Asus 150 million dollars in legalities and damages.

They settled the case in 2015 with the FTC and are now oblidged to have external security audits for each products and pay $16.000 for each individual security incident till 2036.

ftc.gov

160222asusagree.pdf

68.59 KB

Maybe the FTC need to take a closer look into this as well so that it will be taken more seriously by Gl-iNet.

I was very disappointed when I noticed my routers where shipped with outdated version with known security vulnerabilities and a version that is no longer being maintained.

eric · 2022-07-26T18:23:44.036Z

It is possible GL iNet fixed the Application issues. I don’t own a SF1200, but you could check a few of the Applications to see if they have been updated. You can do this in the GUI under APPLICATIONS → Plug-ins. I would start by looking at dnsmasq as it had multiple Security Advisory posted on the version running in 18.06. If it was updated to the same as being used in the GL iNet 3.212 firmware, running 19.07, the version should be:

dnsmasq-full      2.80-16.3

lorazepam_access · 2022-07-26T20:15:52.369Z

Indeed it runs the 2.80-16.3 version as well.

Johnex · 2022-07-27T20:03:52.974Z

As covered many times on the forum, OpenWRT version does not say much. OpenWRT versions basically just dictate what features are included in the release, how the configuration files are set up and other infrastructure changes.

In Linux every part of the system can be updated independently. Kernel, programs etc, can be updated to newer versions than the main release had. GL have updated packages when vulnerabilities have been found, you can search the forums for that in the past.

If you find a program that you require hasn’t been updated, send an email to customer service and it will be updated for you.