Blacklist uncommon network protocols

There are a few protocols (such as DCCP) that are very rarely used and will most likely have unknown vulnerabilities. There have been pretty bad vulnerabilities with these in the past and even ones that allow privilege escalation. [1] [2]

The main ones to disable would be DCCP, SCTP, RDS and TIPC.

They can be disabled by a file in /etc/modprobe.d that has

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true 

Tails also disables these.

Their modprobe.d file is here:

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf

Should Whonix disable these? I highly doubt anyone would use these.

[1] oss-sec: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)
[2] CVE-2017-8824 - linux-hardened linux linux-zen linux-lts - Arch Linux

Sounds great!

Could you send a pull request against security-misc package please?

Could you please read these discussions too?

Just created it.

Summary: “We should disable these. Other distros do it. They’re rarely used and insecure. We should ask upstream.”

The other distros they were talking about were Ubuntu and Fedora which blacklist these by default.

https://wiki.ubuntu.com/Security/Features#blacklist-rare-net

https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols

Could you review Disable uncommon network protocols by madaidan · Pull Request #7 · Kicksecure/security-misc · GitHub please? @HulaHoop

Looks good. Fedora blacklists more esoteric protocols would like to see what they do and add to this.

https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols

Note: This was actually discussed by JA during a DebConf after he presented NSA leaks that indicated remote attacks possible because of network protocols like these. I am surprised this wasn’t implemented by default in Debian despite interest from the security team.

I’ve noticed that before but can’t find much information about them. Tails didn’t add them even though they were suggested.

It’s ironic that the NSA’s RHEL5 hardening guide also advises to disable these.

We should also blacklist HDLC to protect against vulnerabilities such as CVE-2017-2636.

madaidan via Whonix Forum:

We should also blacklist HDLC to protect against vulnerabilities such as CVE-2017-2636.

What is it used for?

Does lockdown cover this?

Seems to be just an ordinary network protocol that’s rarely used.

Tails also disables this.

I don’t think so.

Alright.

Please do.

Thanks, merged!

There are also more here but I don’t know anything about them and it doesn’t seem like anything else blacklists these.

Looks good. Please go ahead and axe the ones mentioned by Tails. I heard that appletalk in particular was exploited by NSA in a talk by JA.

Just added them too.

We need to document this so if anyone runs into issues has a chance to find this through search engines. Could you please list all the uncommon network protocols in debian/control with their short- and long handle? @madaidan

• n-hdlc - High-Level Data Link Control
• … - …

And could you please also add the long name of the protocol as a comment on top of the config file that disables them?

Does the list look good to you? @HulaHoop

As of now: security-misc/uncommon-network-protocols.conf at 1e4d3495167c0305ec1fce8568658a06750df674 · Kicksecure/security-misc · GitHub

Could you please

• reference/credit blacklist_modules · Wiki · tails / blueprints · GitLab in
  etc/modprobe.d/uncommon-network-protocols.conf
• copy over/quote the reasoning (if available).
• reference etc/modprobe.d/uncommon-network-protocols.conf from debian/control as the place to find further information?

• Security/Features - Ubuntu Wiki
• Security Features Matrix - Fedora Project Wiki

Yep
Really wish Debian would do this by default.