search

konstruktoid / ansible-role-hardening

Ansible role to apply a security baseline. Systemd edition.
Apache License 2.0
533 stars 112 forks source link

[Q] Reason for disabling dccp sctp rds tipc kernel modules? #27

Closed nodiscc closed 3 years ago

nodiscc commented 3 years ago

Hi,

I traced back the addition of net_modules_blocklist to https://github.com/konstruktoid/ansible-role-hardening/commit/6000ef970183d2892a6ddc4f652381b17fdb3436. From this commit I cannot tell why these particular modules (dccp, sctp, rds, tipc) were disabled.

What is the reason for disabling these modules? Is it a generic "disable what you don't need" task (in which case it might be better to leave the default list empty, as the modules could be in use on some systems)? Or is there a specific problem/security risk related to dccp/sctp/rds/tipc modules?

Thanks for this interesting role, I am learning from it and mixing it with https://github.com/dev-sec/ansible-collection-hardening/ and https://github.com/nodiscc/xsrv/tree/master/roles/common

konstruktoid commented 3 years ago

Hi @nodiscc, those are disabled since you should "disable what you don't need" as you put it. It is also required to disable those, unless required, to comply to various benchmarks.

CIS Ubuntu 20.04 Benchmark:

3.4.1 Ensure DCCP is disabled
3.4.2 Ensure SCTP is disabled
3.4.3 Ensure RDS is disabled
3.4.4 Ensure TIPC is disabled

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

V-204450: Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.
nodiscc commented 3 years ago

I found the same reference in CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf:

image

So it is indeed a generic "reduce attack surface" measure, and also required for CIS benchmark compliance - not about a specific problem in these modules/protocols. I assume it is safe enough to disable them by default as they are rarely used.

It might be good to add some inline comments to the default modules blacklist (eg. # CIS 3.4.1 Ensure DCCP is disabled). For example I try to keep https://github.com/nodiscc/xsrv/blob/master/roles/common/defaults/main.yml well commented since I will forget in the long run why an option/value was added (it also saves me from maintaining a separate documentation in README.md...)

thanks for your quick reply!

konstruktoid commented 3 years ago

https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/

nodiscc commented 3 years ago

Interesting timing for this advisory :) :+1:

I read a bit about SCTP and the Linux implementation, having a default DENY firewall policy will also stop SCTP traffic from going in or out the machine - unless you explicitely add -p sctp iptables rules. Same for DCCP. Same for other protocols supported by iptables

-p, --protocol protocol
    The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh

There are other protocols in iptables extensions.

Disabling the modules in addition doesn't hurt, so I came to the conclusion that you can safely disable all protocol related kernel modules for which you don't have an iptables rule: 

$ find /lib/modules/5.9.0-0.bpo.2-amd64/kernel/* -type f|grep net|grep -E "udplite|icmp|esp|ah|sctp|mh|dccp"
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp_diag.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/ah4.ko
...
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/netfilter/ipt_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/6lowpan/nhc_ghc_icmpv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/ipvs/ip_vs_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_esp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/ah6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_diag.ko

None of these are currently enabled on my machines so I will try blacklisting some.

There is a vulnerability in the rds module on Linux <5.0.8 (requires an application actually using RDS to be vulnerable - but disabling the module will likely break your application).

However about the firefox advisory: https://webrtcglossary.com/sctp/

SCTP is not implemented by all operating systems. In such cases, an application level implementation of SCTP will usually be used.

The vulnerability is probably in the WebRTC implementation of SCTP, so disabling the kernel module won't help.