2.97 Firmware vulnerabilities

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
Username
Newbie
Newbie
Posts: 8
Joined: Wed May 10, 2006 11:29 pm

2.97 Firmware vulnerabilities

Post by Username » Sat Jan 24, 2015 4:27 pm

I have run OpenVAS on my broadband router that runs on latest 2.97 and it has reported the following vulnerabilities.
- Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability - CVE-2009-4490, CVE-2009-4491
- BrowseGate HTTP headers overflows - CVE-2000-0908

Cannot judge what some can do by exploiting those however is there a way to close those ? Any services I can switch off ?

Regards,
George
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: 2.97 Firmware vulnerabilities

Post by mstombs » Sat Jan 24, 2015 6:50 pm

Interesting, but the web gui is only http and not secure so you shouldn't expose it to the big bad internet, and probably worse things can happen if you have a hacker inside your LAN!

You don't actually need the web gui in normal operation so there is an option not to run the http server, can always be loaded manually from ssh - see the FAQ in section on memory optimisation

firmware-faq/#optimise
Username
Newbie
Newbie
Posts: 8
Joined: Wed May 10, 2006 11:29 pm

Re: 2.97 Firmware vulnerabilities

Post by Username » Sun Jan 25, 2015 5:23 pm

True and thanks.

Using stop_httpd gives and re-run OpenVAS gives nil vulnerability response from the internal network :-)
Not sure what software the children are downloading nowdays so better to lock from inside too.
So I am happy to start/stop the http from shell prompt.
Post Reply