Bridge mode security bug in 2.0n – Please install the hotfix

Recently a problem was discovered with the firewall on the Fonera 2.0n: When it is running in “bridge mode” (by selecting “bridge” in the internet settings screen), users can access the LAN network from the public wifi network (FON_FREE_INTERNET signal).

Because of the severity of this problem, we’ve provided a hotfix that fixes just this issue. We recommend all users to install this hotfix, though it should only affect users running in bridge mode.

This issue does not affect the Fonera 2.0g or SIMPL, which do not support bridge mode yet.

The hotfix is available for the 2.3.6.1 firmware. To install it, go to the “Applications” page on the dashboard of your Fonera and click the “plus” icon next to “Hotfix: Firewall in bridge mode”.

Alternatively, you can download the hotfix manually and upload it again at the the “Applications” page on the Fonera dashboard. This might also work on firmwares older than 2.3.6.1, but this has not been tested. If you are still running an older firmware, we recommend that you upgrade and then install the hotfix.

Note that if you ever do a factory reset, you will need to install the hotfix again.

Also note that right now, version 2 of this hotfix is available. If you already installed version 1, it is not possible to upgrade (because the hotfix cannot be uninstalled). However, version 1 offers the same protection, but might break the public signal in some very specific cases (which should not normally occur). If you really want to upgrade to version 2, you’ll need to do a factory reset to remove the hotfix.

25 Responses to “Bridge mode security bug in 2.0n – Please install the hotfix”

  1. Marco Says:

    Nice to see some new developments
    So, is it now time to check out the 3G Dongle – USB Hub issue?
    Thanks

  2. n3m0 Says:

    Great! Thank you!
    Keep up the good work!

  3. Josemi Says:

    Is the fonera 2.0g affected?

    Thanks

  4. Matthijs Says:

    As mentioned in the post:

    > This issue does not affect the Fonera 2.0g or SIMPL, which do not support bridge mode yet.

  5. Paolo Says:

    Since ~1hour ago I cannot anymore connect to the wired network. Could it be the hotfix? I can provide brctl and ifconfig output on the fonera but it would likely be mangled by wordpress.

    Also, how can I check if I have v1 or v2?

  6. Matthijs Says:

    Paolo, could you please report a ticket on the trac? That will keep the discussion orderly. Please include the output of “ifconfig” and “iptables -n -v -L” in your report and describe the problems your seeing in a bit more detail. Thanks.

    To check which version you have, look at the “Applications” page on the dashboard (or look in /etc/config/plugfons). But if you installed the hotfix after I posted this announcement, you’re certain to have installed v2.

  7. Paolo Says:

    Done (ticket 999).

  8. UNIX4ALL Says:

    The hotfix dont work with 2.3.6.1 dev firmware. Fail verification when I click the plus simbol to install.

  9. Matthijs Says:

    Turns out Paolo’s issue was completely unrelated to the hotfix, since he hadn’t installed it yet :-)

    UNIX4ALL, could you open up a ticket on the trac and include a screenshot with the error message on the Applications page?

  10. UNIX4ALL Says:

    Yes, ticket created http://trac.fonosfera.org/fon-ng/ticket/1000

    Regards.

  11. dan Says:

    Looking at the file 40-interzone in the downloadable patch ( http://download.fonosfera.org/plugins/hotfix_bridge_firewall_2_fonera20n_2.3.6.1_fon.tar.gz ), the last line states:
    iptables -I block_public 1 -i tun0 -d 192.168.182.1 -p tcp –dport ! 3990 -j DROP

    In English: Drop all packets on network interface tun0 going to port 3990 of the host rechable at 192.168.182.1.

    Why is it that the ip address (192.168.182.1) and the port (3990) are hard-coded? 3990 does not appear to be the default port for any common service, so I would appreciate if you could shed some light.

    Thanks in advance!

  12. Matthijs Says:

    Dan, your interpretation of the iptables rule is almost correct, but you missed the exclamation mark in there. So the rule means: Drop all packets on network interface tun0 going to the host rechable at 192.168.182.1 to ports other than 3990. In other words, it opens up just port 3990 on 192.168.182.1.

    192.168.182.1 is the address chilispot uses on the public signal. When you connect to the public wifi signal, you’ll notice you get an address in the 192.168.182.0/24 range as well. So this line makes sure that clients can talk to chillispot (from the top of my head I’m not sure what service is at that port exactly, but it’s something chillispot related anyway).

    I hope this answers your questions!

  13. dan Says:

    Matthijs,
    thank you for the quick explanation — yep, I totally missed the exclamation mark. FWIW, based on [1], it appears chillispot’s http server binds to port 3990 (i.e. http://192.168.182.1:3990/logout would log you out when using the public signal).

    [1] http://www.chillispot.info/FAQ.html

  14. t031 Says:

    well since all my comments get censored I will try to write more decent and less cynical, as far as I can.
    When you Matthijs took over the development a couple of month ago, we all thought things would change, just to find us back in the old situation, without regular comments about the development and us users angry and the developers, you that is, wining around that you ain’t got nothing.
    Well as far as it concerns me Matthijs you are a good guy and you are most likely doing the best you can, which leaves me no other conclusion that the company you work for is not really living up to what they advertise.
    Hope you had a good start into the year with loads of energy in order to deliver us a less faulty firmware ASAP.

  15. t031 Says:

    Cynical or not, just curious if anyone is still out there considering that there was no movement in your blog for almost a month…

  16. Juhku Says:

    t031 and all the rest of us, the dates show that there’s a general idea to let ppl know bits and pieces every two months. The obvious lack of resources for developing a working product (which was relatively expensive btw) is a huge shame for the company and a dissappointment for loyal foneros. Got 6 hotspots myself, of which 2 are 2.0n.

    Bottom line: if generalizing a little, this would mean you, I and all the rest of us will still wait for a month to see what is yet not working as originally promised in Fon’s webshop ;)

    Personally I’ve been waiting to get my internet connection (3G) shared for more than a year now. Needless to say, the hotspot has stayed offline since hardware isn’t doing what it’s supposed to. With none of the 3 types of HSPA usb-modems I’ve tried.

  17. t031 Says:

    no more, huh?

  18. Voorstad Says:

    @t031: Mathijs has other obligations, Martin’s wife is pregnant….. I don’t have the feeling there will be a lot of focus & attention on FON’s “legacy products” like the 2.0N.

  19. barbon Says:

    @Voorstad Yes but they have all time for sell fonera SIMPL, why? :|

  20. t031 Says:

    @Voorstad
    Wow I am happy for Martin!
    Please let me know next time some one cuts a tree in Canada and you guys have to stop developing.
    Seriously, are you aware of the impact of your statement?!

  21. Marco Says:

    But they do have time to have some fun @ the office: http://yfrog.com/gydvlcnj and to post simpl promo codes on facebook… meanwhile I’ve been waiting for months for someone to fixe the usb hub – 3g dongle issue.
    You should really learn how to respect your costumers and stop acting like we’re all a bunch of idiots who gave you money.

  22. jos meijer Says:

    well, since I have froyo on my HTC-legend android-phone I can do all the things Martin and his gang promised for fon but never really worked.
    Have fun with our money, Martin. I give up investing time in this.

  23. t031 Says:

    ditto

  24. barbon Says:

    any news?

  25. t031 Says:

    last post here end of March…

Leave a Reply

Please read the comment policy before posting a comment.