Security of 4.7 (OpenWRT 21 based)

Technical Support for Routers
1

Someone help me understand the reasoning behind 4.7 being based on OpenWRT 21 when that version if EOL? I've heard talk about the packages being out of date. Isn't this a problem?

2

If there is a good reason for using OpenWRT 21 it would be good to know:

  1. Can end users upgrade to later versions?
  2. What degradation or problems might result from such upgrade?
3

alright sure, i gonna give you a long explaination :slight_smile:

some versions use different variants such as MTK sdk, QSDK, wlanap or OpenWrt main base.

these SDK present vendor bases of the firmware where GL sdk and its scripts layer on top.

these sdks are not open source, and preserved with privatised drivers supplied either by qualcomm, mediatek or openwifi(wlanap).

However this does not mean they are EOL, on OpenWrts side yes, but nobody prevents the developers to write patches with updates, this is also what GL does.

With current base like the op24 versions these are also a bit older than what shows up on openwrt main branch :slight_smile:

Still doesn't prevent GL-iNet to write patches to update things :wink:

^ also alot of other companies do this, many isp routers even run on older sdk forks of openwrt :smiley:, or some routers like tp-link, you will be amazed how many actually run on these variations of sdks.

So why would they choose this over the main source?

Maybe they found something very unstable, and didn't notice it on the SDK, alot of times open source is slower to adapting newer wifi chips, but in other situations it can also be the vendors firmware calibration data what was wrong, both firmwares openwrt main as mtk sdk use these blobs, but the drivers are still merely different between mtk sdk and op24.

About packages:

This is a little complicated, but if a package is so different which cannot compile against a low kernel it fails especially if it depends on more dependencies, or they did not add it to the repository to save space.

As far as security goes...

i think if you already check your devices you should be fine, from the outside i don't see a risk.

From the inside network scope you may have a bigger risk, but consider yourself here:

what are the odds of a device targeting specific your firmware, and then use a very specific exploit what only targets something on that firmware?

^ not going to happen, too much work and also it is not aware of version.

What i think is more realistic is this:

  • they leverage something in nginx or gl ui, this gets easily updated and patched by gl-inet :slight_smile:

  • a infected device bruteforces ssh, like what mirai infection looks like, then it is easy disable ssh or make password generated passwords :slight_smile:

I think you should be fine :+1:

2 Likes