[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Blacklist uncommon network protocols

There are a few protocols (such as DCCP) that are very rarely used and will most likely have unknown vulnerabilities. There have been pretty bad vulnerabilities with these in the past and even ones that allow privilege escalation. [1] [2]

The main ones to disable would be DCCP, SCTP, RDS and TIPC.

They can be disabled by a file in /etc/modprobe.d that has

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true 

Tails also disables these.

https://redmine.tails.boum.org/code/issues/6457
https://redmine.tails.boum.org/code/issues/12280

Their modprobe.d file is here:

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf

Should Whonix disable these? I highly doubt anyone would use these.

[1] https://seclists.org/oss-sec/2017/q1/471
[2] https://security.archlinux.org/CVE-2017-8824

1 Like

Sounds great!

Could you send a pull request against security-misc package please?

Could you please read these discussions too?

1 Like

Just created it.

Summary: “We should disable these. Other distros do it. They’re rarely used and insecure. We should ask upstream.”

The other distros they were talking about were Ubuntu and Fedora which blacklist these by default.

https://wiki.ubuntu.com/Security/Features#blacklist-rare-net

https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols

1 Like

Could you review https://github.com/Whonix/security-misc/pull/7 please? @HulaHoop

2 Likes

Looks good. Fedora blacklists more esoteric protocols would like to see what they do and add to this.

https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols

Note: This was actually discussed by JA during a DebConf after he presented NSA leaks that indicated remote attacks possible because of network protocols like these. I am surprised this wasn’t implemented by default in Debian despite interest from the security team.

4 Likes

I’ve noticed that before but can’t find much information about them. Tails didn’t add them even though they were suggested.

It’s ironic that the NSA’s RHEL5 hardening guide also advises to disable these.

1 Like

We should also blacklist HDLC to protect against vulnerabilities such as CVE-2017-2636.

1 Like

madaidan via Whonix Forum:

We should also blacklist HDLC to protect against vulnerabilities such as CVE-2017-2636.

What is it used for?

Does lockdown cover this?

1 Like

Seems to be just an ordinary network protocol that’s rarely used.

Tails also disables this.

I don’t think so.

1 Like

Alright.

Please do.

1 Like
2 Likes

Thanks, merged!

1 Like

There are also more here but I don’t know anything about them and it doesn’t seem like anything else blacklists these.

2 Likes

Looks good. Please go ahead and axe the ones mentioned by Tails. I heard that appletalk in particular was exploited by NSA in a talk by JA.

2 Likes

Just added them too.

2 Likes

We need to document this so if anyone runs into issues has a chance to find this through search engines. Could you please list all the uncommon network protocols in debian/control with their short- and long handle? @madaidan

  • n-hdlc - High-Level Data Link Control
  • … - …

And could you please also add the long name of the protocol as a comment on top of the config file that disables them?


Does the list look good to you? @HulaHoop

As of now: https://github.com/Whonix/security-misc/blob/1e4d3495167c0305ec1fce8568658a06750df674/etc/modprobe.d/uncommon-network-protocols.conf

2 Likes

Could you please

1 Like

https://tails.boum.org/blueprint/blacklist_modules/

Yep :slight_smile:
Really wish Debian would do this by default.

2 Likes
1 Like