Security scanning software, such Nessus, OpenVAS and Qualys, are useful for proactively identifying and patching potential attack vectors in your network and server systems.
However, these tools have been primarily developed to scan general purpose servers running mainstream operating system distributions, and they can produce false positives and inappropriate guidance when run against a purpose-built embedded network appliance such as an Opengear device.
If vulnerabilities are being reported, we recommend following these steps:
- Ensure your Opengear device is running the current firmware release and re-run the scan
- We encourage you to read the information below to help ascertain whether the reported vulnerability is applicable to your Opengear device
- If possible ascertain the underlying CVE number of the reported vulnerability and check the Opengear Security Notifications for specific information as to whether Opengear products are affected and if so, mitigation steps to follow
- Contact Opengear support, attaching a copy of the vulnerability report and your Opengear device's support report
Why are security scans problematic?
1. Most security scanner software uses high level probes to attempt to detect potential vulnerabilities, making assumptions based on detected network service version numbers and the detected operating system kernel (Linux).
In order to maintain stability, the Opengear software team often backports security fixes from the latest versions of a software package (e.g. OpenSSH), rather than upgrading to the latest version of that package.
2. The Opengear embeds a lean software stack based on Linux, but designed "from the ground up" rather than taking a desktop Linux distribution and "cutting it down".
Therefore most user applications common on Linux server and desktop systems are not present (or have busybox alternatives), and many non-essential kernel features are turned off. This significantly reduces the attack surface, so the scanner may be reporting vulnerabilities in code that is not present on the Opengear device.
3. The guidance scanners provide to remediate vulnerabilities is often inappropriate, e.g. "use the package manager to upgrade OpenSSL".
The Opengear device integrates all software, including kernel, libraries and applications, in a single read-only binary image for consistency, reliability and security, rather than using a package management system. The network appliance approach delivers resilience and reliability consistent with the Opengear device's built-for-purpose role.
Additionally, CLI commands given to hotfix, e.g. running sysctl to changing runtime parameters, will not persist across reboots (these would need to be run from a script in /etc/config/), so are also inappropriate.
4. In some cases, the embedded nature of the Opengear appliance including its read-only filesystem and ARM CPU architecture mean that vulnerabilities are not exploitable.
5. For the purposes of penetration testing, scanners may treat the Opengear web UI as a generally available web application rather than a privileged access interface that is secured by firewall, VPN and strong authentication.
Therefore OWASP-type vulnerabilities may exist, but you would have to be an Opengear administrator to exploit them (in which case you have root-level access to the system anyway).
6. As a more general observation, some "vulnerabilities" reported by scanners represents are theoretical projections (e.g. current ciphers becoming increasingly weaker as global compute power grows) and not actual vulnerabilities at the present time. These may be interspersed with actual vulnerabilities, causing undue alarm.