Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Q] Reason for disabling dccp sctp rds tipc kernel modules? #27

Closed
nodiscc opened this issue Jan 3, 2021 · 4 comments
Closed

[Q] Reason for disabling dccp sctp rds tipc kernel modules? #27

nodiscc opened this issue Jan 3, 2021 · 4 comments
Assignees
@konstruktoid

Comments

@nodiscc
Copy link

nodiscc commented Jan 3, 2021

Hi,

I traced back the addition of net_modules_blocklist to 6000ef9. From this commit I cannot tell why these particular modules (dccp, sctp, rds, tipc) were disabled.

What is the reason for disabling these modules? Is it a generic "disable what you don't need" task (in which case it might be better to leave the default list empty, as the modules could be in use on some systems)? Or is there a specific problem/security risk related to dccp/sctp/rds/tipc modules?

Thanks for this interesting role, I am learning from it and mixing it with https://github.com/dev-sec/ansible-collection-hardening/ and https://github.com/nodiscc/xsrv/tree/master/roles/common
@konstruktoid
Copy link
Owner

Hi @nodiscc, those are disabled since you should "disable what you don't need" as you put it.
It is also required to disable those, unless required, to comply to various benchmarks.

CIS Ubuntu 20.04 Benchmark:

3.4.1 Ensure DCCP is disabled
3.4.2 Ensure SCTP is disabled
3.4.3 Ensure RDS is disabled
3.4.4 Ensure TIPC is disabled

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

V-204450: Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.

@nodiscc
Copy link
Author

nodiscc commented Jan 3, 2021

I found the same reference in CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf:

image

So it is indeed a generic "reduce attack surface" measure, and also required for CIS benchmark compliance - not about a specific problem in these modules/protocols. I assume it is safe enough to disable them by default as they are rarely used.

It might be good to add some inline comments to the default modules blacklist (eg. # CIS 3.4.1 Ensure DCCP is disabled). For example I try to keep https://github.com/nodiscc/xsrv/blob/master/roles/common/defaults/main.yml well commented since I will forget in the long run why an option/value was added (it also saves me from maintaining a separate documentation in README.md...)

thanks for your quick reply!

@nodiscc nodiscc closed this as completed Jan 3, 2021
@konstruktoid
Copy link
Owner

https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/

@nodiscc
Copy link
Author

nodiscc commented Jan 8, 2021

Interesting timing for this advisory :) 👍

I read a bit about SCTP and the Linux implementation, having a default DENY firewall policy will also stop SCTP traffic from going in or out the machine - unless you explicitely add -p sctp iptables rules. Same for DCCP. Same for other protocols supported by iptables

-p, --protocol protocol
    The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh

There are other protocols in iptables extensions.

Disabling the modules in addition doesn't hurt, so I came to the conclusion that you can safely disable all protocol related kernel modules for which you don't have an iptables rule:

$ find /lib/modules/5.9.0-0.bpo.2-amd64/kernel/* -type f|grep net|grep -E "udplite|icmp|esp|ah|sctp|mh|dccp"
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp_diag.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/ah4.ko
...
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/netfilter/ipt_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/6lowpan/nhc_ghc_icmpv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/ipvs/ip_vs_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_esp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/ah6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_diag.ko

None of these are currently enabled on my machines so I will try blacklisting some.

There is a vulnerability in the rds module on Linux <5.0.8 (requires an application actually using RDS to be vulnerable - but disabling the module will likely break your application).

However about the firefox advisory: https://webrtcglossary.com/sctp/

SCTP is not implemented by all operating systems. In such cases, an application level implementation of SCTP will usually be used.

The vulnerability is probably in the WebRTC implementation of SCTP, so disabling the kernel module won't help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@konstruktoid konstruktoid

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nodiscc @konstruktoid