Does Gl-iNet firmware get timely security updates from OpenWRT?

TreeDogNight · 2021-02-11T18:27:32.811Z

Please forgive me for what may be a newbie question.

The firmware for my device is fully updated at currently 3.105, and the OpenWRT version on it is 18.06.1. Yet the current (old-stable) version of OpenWRT is 18.06.9, because there have been many security updates since 18.06.1.

So does that mean that my device is not securely updated? Is 3.105 secure even though the OpenWRT version it is out of date? Or maybe those security updates up through 18.06.09 are somehow actually included in 3.105 despite it showing 18.06.01?

I apologize if this question has already been answered elsewhere. I could not find it directly addressed. Thank you.

Eli · 2021-02-11T18:37:08.545Z

My question too.

The OpenWRT version is typically a year old. I hope GL-INET at least fixes security problems discovered in the past year.

I am not optimistic though, as gl-inet is not a company focused on security or a security product like OpenWRT.

eric · 2021-02-11T19:52:46.030Z

The OpenWrt code is now so out of date that the OpenWrt team is no longer providing new patches for the 18.06.x code base.

Recently Alzhao posted:

alzhao
(Why is OpenWRT version in gl-inet routers is a year old? - #2 by alzhao)
The firmware is always based on older openwrt version. Nothing wrong with that.
Security patches will be applied if found.

But this does not seem true, as according to the OpenWrt team there are 7 CVEs with dnsmasq:

OpenWrt Forum – 19 Jan 21

Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities

Multiple flaws (7 CVEs) has been found in the dnsmasq package. Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an...

Reading time: 23 mins 🕑 Likes: 115 ❤

Although dnsmasq is used in all GL iNet routers, there have been no patches released by the GL-iNet team for any product running the latest 3.105 or earlier firmware, and there is no pinned posting about the security issue with a list of possible work-arounds. We are all at risk, and NO ONE is getting any support on this security issue. The only thing we can do is wait until the 3.20x code is released and probably deal with a bunch of new bugs so we can get this critical issue fixed.

I am also not optimistic in GL-iNet ever taking security issues seriously with their products. Features before security! Here is another old bug that has yet to be patched: [BUG] 'Override DNS Settings for All Clients' opens up Port 53 to the WAN

TreeDogNight · 2021-02-11T20:50:16.213Z

@eric: Oh wow, the response you linked is very similar to my question. Not sure how I missed that.

So basically, GL-iNet is saying that if a security issue is important enough, that they’ll patch it themselves. But you are saying that there are some vulnerabilities that Gl-iNet thinks are not important enough to patch, like the dnsmasq stuff.

It seems so very difficult to find a maker of retail-grade routers that will continue to provide timely security updates to their devices for the whole life of the device. Does such a company even exist? Anyway looks like I should definitely prefer whichever devices are well-supported by OpenWRT, since that seems to only way to get real security patches. And that I should abandon the idea of the native Gl-iNet firmwares.

Johnex · 2021-02-11T22:42:20.671Z

The dnsmasq issues can be mitigated via config. We covered that in this thread:

Dnsmasq vulnerabilities Technical Support for Routers

Has anyone got any comments on this post on the (recently hacked) openwrt forum. Does it affect Gl-inet routers? Apparently 7 CVEs (vulnerabilities) have been found in this package. I have: root@GL-MT1300:~# opkg list-installed dnsmasq* dnsmasq-full - 2.80-16.1 on my Beryl . from openwrt…after updating The above command should output following: dnsmasq - 2.80-16.2 for stable 19.07 release dnsmasq - 2.83-1 for master/snapshot

Please use the search for such issues, it was discussed on the same day the issue was discovered, many weeks ago.

@eric Please update your post, it’s misleading when you didn’t use the forum search.

@Eli @TreeDogNight
All the routers are in the process of being updated to 19.0x, in the 3.201 firmware. You can use the latest snapshots if you are in a rush to upgrade, but notice the UI still has some issues. The base system has been upgraded, which is the first priority at the moment, next will be the UI:

https://dl.gl-inet.com/firmware/snapshots/

eric · 2021-02-12T00:30:04.513Z

@Johnex : My point was the only way to know about the dnsmasq issue is to search the forum, as this issue is not pinned to the top of the forum, and the public bug database was taken away awhile ago. There should be a security page, like the one on the OpenWrt forum, to keep all of us informed about known issues, especially security issues.

As there is no easy way to search this forum for all the known security issues with the different version of firmwares that GL iNet has released, such as the two issues I brought up in my post, the only way right now to find them is to read all the forum posts. That is a lot to expect out of a new router owner who may be under the impression that known security issues are quickly fixed or documented.

Johnex · 2021-02-12T00:35:16.681Z

Most router owners get an Asus or something off the shelf that is easy to use. OpenWRT has a learning curve. Most off the shelf routers have kernels from many years ago, and you don’t see updates as fast as GL.

Unfortunately if you want the latest OpenWRT, you need to use Vanilla OpenWRT without the GL UI, since it takes time to test and upgrade all the routers. Users can check their version in Luci, it will always say what OpenWRT you are running, regardless of how many updates, snapshots and patches GL releases on top.

nano · 2021-02-12T00:35:26.072Z

I’m thinking about trying a Turris Omnia just because they seem to stay on top of security updates.

Johnex · 2021-02-12T00:56:03.525Z

Turris is able to update faster as they only have 2 routers based on the same processor family. Their routers also cost many times more than GL routers. You also want to probably look at their EULA, as they send a lot of data back to their servers for processing for a lot of their features.

nano · 2021-02-12T01:03:35.547Z

I am dealing with that dillema, what you said is exactly why I haven’t done it yet. Just offering some options to the OP.

Eli · 2021-02-12T06:49:18.233Z

If someone has installed latest OpenWRT, could you please comment on how is the user experience without GL UI?

Is it difficult to install and update OS, set up and connect VPN, and set up internet access by CL or in LUCI? This is supposed to be used without another UI.

eric · 2021-02-12T07:42:38.227Z

I have run both the OpenWrt 19.07.6 released code and some of the snapshot builds for the upcoming OpenWrt 21.xx code (real bleeding edge stuff) on different GL iNet routers. The OpenWrt GUI LUCI has a steep learning curve, but if you want to do something special with your GL iNet hardware, like adding a second long range external WIFI radio using a USB adapter, it is the only way I have found to do it. The OpenWrt firmware is much smaller then the GL iNet firmware, as you only install the packages you are using. With the OpenWrt firmware you can target the firmware to the problem you are trying to solve. This gives your router a smaller attack vector, as there are less packages installed that may have security issues.

I have about a half dozen different GL iNet routers, doing all different functions for myself and family. Depending on the function, I am either running the GL iNet 3.105 firmware with work-arounds for the dnsmasq bug, or OpenWrt 19.07.6. It is much easier to setup the GL iNet GUI to configure things, as long as you don’t need to play outside the box, and you are willing to work around known bugs. This means reading this forum religiously, as it is the only way to find out about new bugs.

If you want to have the most control and the quickest access to patches for security bugs, go with OpenWrt. It is not that hard to do a simple setup of a GL iNet router with OpenWrt and LUCI. There are several youtube videos showing how to do the initial setup. I have used the GL iNet firmware update page to load the OpenWrt firmware, and I have used the OpenWrt update tool to re-install GL iNet firmware, without having to use uboot. It may not be recommended, but it works and lets me test out both sets of firmware. Try OpenWrt and see how you like it! You can always go back.

If I am using the GL iNet router as a travel router, where I may need to change a bunch of stuff to get it to work with some hotel WIFI, captive login and firewall, I normally use the GL iNet firmware, as its faster to make these changes on the fly, and to reconfigure the VPN client. If I need to do anything special, outside of what the GI iNet team documents, I use the OpenWrt firmware.

TreeDogNight · 2021-02-12T23:20:58.745Z

Thank you all for your help. Especially @eric. I now better understand the limitations of my Gl-iNet device. This part is a little bit heart-breaking:

“As there is no easy way to search this forum for all the known security issues with the different version of firmwares that GL iNet has released, such as the two issues I brought up in my post, the only way right now to find them is to read all the forum posts. That is a lot to expect out of a new router owner who may be under the impression that known security issues are quickly fixed or documented.”

But I also understand Johnex’s point that most other brands of consumer routers are even less secure than Gl-iNet’s. That is surely true.

I cannot spend hours a week reading through GL-iNet’s forums hoping to catch whatever security issues arise from outdated packages (and then studying the issue, and then to take whatever necessary corrective actions). It seems to me then, that regardless of the brand of router, it will cost me the least time OVERALL if I simply install OpenWRT at the beginning, and to keep that timely updated, so that I do not have to familiarize myself over and over with security issues. This despite the fact that OpenWRT/luci’s initial setup time is much more difficult than GL-iNet’s. I don’t want OpenWRT for its extra power and customizability; rather I simply want it for its timely security updates.

eric · 2021-02-13T01:58:30.996Z

@TreeDogNight Just one more issue to think about if you go the OpenWrt route. Some GL-iNet routers are much better supported by the current stable released 19.07.x OpenWrt firmware, like my GL-AR300M16, and some routers, like my GL.iNet Microuter-N300, the only available OpenWrt firmware is in the daily development snapshot builds which are the test builds for the future 21.xx OpenWrt release. I’m not comfortable running development firmware in production, so at this time, I’m limited on which GL iNet products I will run the OpenWrt firmware on. The GL iNet team does not provide a lot of information on which products run the OpenWrt code best and which are not well supported. You have to read through a bunch of forum posts, both in this forum and in the OpenWrt forum to figure this out.

This is a very helpful page for finding out which version of the OpenWrt firmware will run on your router: https://firmware-selector.openwrt.org/

pingpong · 2021-02-13T19:45:03.375Z

@eric @treedognight Newbie here, too (newbie to GL-iNet, but professionally in the IT bidness) and glad I found this recent thread because I had the same questions about the security of the GL-iNet devices.

Looks like I’ll be loading up a recent stable version of OpenWRT as well. Continuing to use OpenWRT 18.06.1 from Aug of 2018 seems downright…negligent. [1] Roughly 2.5 years of security updates is a loooong time to wait.

I admit the GL-iNet GUI is nice and easy to use, but the OpenWRT GUI isn’t that bad (if you are dedicated enough to already be on this forum, that is). For reference to others who may find this thread, it is located (from the GL-iNet GUI) from “More Settings” then “Advanced,” or directly:

https://yourdevicename/cgi-bin/luci/

[1] Recently grabbed a Mango v2 (GL-MT300N-V2) because it was bewildering to go through their extensive product line, where IMHO there are too many variants that differ by a very small number of features, so I just purchased the Mango for $20 to play around with. Waiting for availability of the Beryl GL-MT1300 to do this “for real” and rip out the almost equally security-negligent other products currently in the household.

Eli · 2021-02-13T20:29:18.380Z

The latest firmware 3.105 that I have comes with a 19. To be fair, it’s not that bad, at least compared to other router companies.

Note that these older versions are probably supported by OpenWRT and might receive security updates. So if glinet uses 18.06 but takes and compiles it recently it’s still fine.

pingpong · 2021-02-13T20:38:40.938Z

For which device? For the Mango I have, the latest is 3.105 (installed a week or so ago, still same version on GL-iNet support site) which is:

OpenWrt 18.06.1, r7258-5eb055306f

??

Eli · 2021-02-13T20:42:30.149Z

I don’t have mine with me (Brume), but from LUCI it was a 19 one. Should double check.

With 18.06 I would be careful, at least about packages.

Johnex · 2021-02-13T21:05:36.367Z

@pingpong
Firmware on 19.0x is under development, but you can try it here:

https://dl.gl-inet.com/firmware/snapshots/3.201_beta1/mt300n-v2/

limbot · 2021-02-13T23:13:25.290Z

pingpong:

[1] Recently grabbed a Mango v2 (GL-MT300N-V2) because it was bewildering to go through their extensive product line, where IMHO there are too many variants that differ by a very small number of features, so I just purchased the Mango for $20 to play around with. Waiting for availability of the Beryl GL-MT1300 to do this “for real” and rip out the almost equally security-negligent other products currently in the household.

Be aware that one of the things that Gl.Inet do with the MT300N-V2 (and the Beryl) is use Mediatek proprietary drivers. OpenWRT native will use open source drivers. Gl.Inet has used the proprietary drivers for “efficiency” reasons and as such you MAY get performance hits on native OpenWRT depending on your requirements.