Several configuration issues were identified on the Ubuntu server:
The rsync service was installed and could be used to synchronize files between systems
over the network. In addition, this presents a security risk as the rsync protocol is also
unencrypted.
Several client services, Telnet and FTP, were installed. These could be used to make
connections with other systems.
A core dump is the memory of an executable program. The current configuration,
fs.suid_dumpable, was set to the default value. This would allow the ability to perform a
memory dump.
The Ubuntu configuration allowed the forwarding of networking packets. The
net.ipv4.ip_forward flag allows packets to be forwarded from the host. An attacker would
be able to use the host as a router.
Packet redirect sending was disabled (net.ipv4.conf.all.send_redirects). An attacker
could use a compromised host to send invalid ICMP redirects to other router devices to
corrupt routing information.
Reverse path filtering was not enabled (net.ipv4.conf.all.rp_filter). This ensures the
packets being received is valid.
Source routed packets were accepted (net.ipv4.conf.all.accept_source_route).
Source routing allows a sender to partially or fully specify the route packets take through a
network.
Suspicious packets were not being logged (net.ipv4.conf.all.log_martians).
The TCP SYN cookies was not enabled (net.ipv4.tcp_syncookies). This allows the
system to verify that it has received a valid response to a SYN cookie and allow the
connection, even though there is no corresponding SYN in the queue.
IPv6 router advertisements were accepted (net.ipv6.conf.all.accept_ra). This setting
disables the system’s ability to accept IPv6 router advertisement.
Note: IPv6 was enabled. If IPv6 is used within the network and is required for business activities,
then keep this enabled. However, this should be disabled if not used.
Potential Impact if Exploited
An attacker might be able to perform a Person-in-the-Middle (PitM) attack due to the unencrypted
nature of rsync.
Attackers would be able to connect to other hosts with the ability to copy data from the local host.
For example, the FTP client would enable an attacker to copy files to an FTP server.
An attacker would be able to gain access to data stored within memory should they have the ability
to create a copy of the memory.
IP forwarding can result in a decrease in networking performance or bypass firewalls. The
availability of resources could be impacted should IP forwarding be implemented incorrectly.
The use of source routed packets could be used to gain access to the private address systems as
the route could be specified, rather than relying on routing protocols that did not allow this routing.
Security events would not be logged (net.ipv4.conf.all.log_martians). Logging these packets
allows an administrator to investigate the possibility that an attacker is sending spoofed packets to
their system.
Attackers could use SYN flood attacks to perform a Denial-of-Service (DoS) attacks on a system by
sending many SYN packets without completing the three-way handshake
(net.ipv4.tcp_syncookies).
The host’s routing could be tricked into routing traffic to compromised machines
(net.ipv6.conf.all.accept_ra)7.
Recommendations
The rsync, telnet and ftp binaries should either be restricted or removed from the host if not being
used. This can be done via a package manager for example:
sudo apt purge telnet
The following configurations need to be updated to the following:
fs.suid_dumpable set to 0
net.ipv4.ip_forward set to 0
net.ipv4.conf.all.send_redirects set to 0
net.ipv4.conf.default.send_redirects set to 0
net.ipv4.conf.all.rp_filter set to 1
net.ipv4.conf.default.rp_filter set to 1
net.ipv4.conf.all.accept_source_route set to 0
net.ipv4.conf.all.log_martians set to 0
net.ipv4.tcp_syncookies set to 1
net.ipv6.conf.all.accept_ra set to 0
Technical Overview
Several configuration issues were identified on the Ubuntu server:
Potential Impact if Exploited
An attacker might be able to perform a Person-in-the-Middle (PitM) attack due to the unencrypted nature of rsync.
Attackers would be able to connect to other hosts with the ability to copy data from the local host. For example, the FTP client would enable an attacker to copy files to an FTP server. An attacker would be able to gain access to data stored within memory should they have the ability to create a copy of the memory.
IP forwarding can result in a decrease in networking performance or bypass firewalls. The availability of resources could be impacted should IP forwarding be implemented incorrectly.
The use of source routed packets could be used to gain access to the private address systems as the route could be specified, rather than relying on routing protocols that did not allow this routing.
Security events would not be logged (net.ipv4.conf.all.log_martians). Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. Attackers could use SYN flood attacks to perform a Denial-of-Service (DoS) attacks on a system by sending many SYN packets without completing the three-way handshake (net.ipv4.tcp_syncookies). The host’s routing could be tricked into routing traffic to compromised machines (net.ipv6.conf.all.accept_ra)7.
Recommendations The rsync, telnet and ftp binaries should either be restricted or removed from the host if not being used. This can be done via a package manager for example: sudo apt purge telnet The following configurations need to be updated to the following: fs.suid_dumpable set to 0 net.ipv4.ip_forward set to 0 net.ipv4.conf.all.send_redirects set to 0 net.ipv4.conf.default.send_redirects set to 0 net.ipv4.conf.all.rp_filter set to 1 net.ipv4.conf.default.rp_filter set to 1 net.ipv4.conf.all.accept_source_route set to 0 net.ipv4.conf.all.log_martians set to 0 net.ipv4.tcp_syncookies set to 1 net.ipv6.conf.all.accept_ra set to 0