[Battlemesh] [WLANware] NAT Slipstreaming (CVE-2020-28041)
daniel at makrotopia.org
Wed Nov 4 02:24:14 CET 2020
We've discussed this on the IRC channel on the same day, see
The attack is based on a proprietary kernel module which is not
included in official OpenWrt (Linux 184.108.40.206brcmarm+, offending
module is called tdts.ko).
Any recent version of OpenWrt is fine as even if other similarly
vulnerable nat-extra modules were installed, they would not be
Nobody should still be using EOL'ed OpenWrt with Kernel as old as
4.7 (that'd be LEDE 17.01 running Linux 4.4, OpenWrt 18.06 is running
a mix of 4.9 and 4.14, depending on the target). So in case you
haven't updated your router in 3 years, please do so now if you want
to make sure your users to accidentally open ports by visiting a
malicious website. To the best of my knowledge you would still not
be affected, as vanilla Linux' NAT helpers are always only snooping
on specific ports and would not be triggered by something happening
on port 80. But to be sure, update to at least OpenWrt 18.06.
If you are using proprietary firmware on your gateway running
Linux 2.6, well, you most likely got some more problems....
On Wed, Nov 04, 2020 at 12:30:30AM +0100, Saverio Proto wrote:
> I apologize for cross posting.
> on 31.10.2020 this new attack was released:
> I am not 100% OpenWrt is vulnerable. It is also hard to say because
> the Kernel Version depends on the OpenWrt target.
> What are common values for:
> $ uname -a
> $ cat /proc/sys/net/netfilter/nf_conntrack_helper
> I tried to propose this PR, but I am not sure it is the correct way to
> patch OpenWrt to fix this.
> is anyone else working on this ?
> my 2 cents
> WLANware mailing list
> WLANware at freifunk.net
> Abonnement abbestellen? -> https://lists.freifunk.net/mailman/listinfo/wlanware-freifunk.net
> Weitere Infos zu den freifunk.net Mailinglisten und zur An- und Abmeldung unter http://freifunk.net/mailinglisten
More information about the Battlemesh