lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20110928.140632.726302773135946390.davem@davemloft.net>
Date:	Wed, 28 Sep 2011 14:06:32 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	fbl@...hat.com
Cc:	netdev@...r.kernel.org
Subject: Re: ICMP redirect issue

From: Flavio Leitner <fbl@...hat.com>
Date: Tue, 27 Sep 2011 16:21:20 -0300

> The issue is about the gateway being a LVS, so the servers behind use
> the IP alias address as the default gateway.  However, when the gateway
> sends an ICMP redirect, it comes from the primary IP address which is
> ignored on older kernels because of the old_gw check:
> 
> -                               if (rth->rt_dst != daddr ||
> -                                   rth->rt_src != saddr ||
> -                                   rth->dst.error ||
> -                                   rth->rt_gateway != old_gw ||
> -                                   rth->dst.dev != dev)
> -                                       break;
> 
> 
> Well, the consequence is that the issue doesn't happen in newer kernels
> because it happily accepts the ICMP redirect.
> 
> The admin can still control using shared_media and secure_redirects if
> the host should accept only the ICMP redirects for gateways listed in
> default gateway list or not.

Unfortunately, shared_media is on by default which means the default
secure_redirects setting of '1' is ignored.

This means that redirects can be spoofed in the default configuration,
but with the above check they would not be spoofable.

I suspect that, because of this, we'll need to add the check back.  Or
do something similar.

We can't "fix" this by turning shared_media off by default because that
changes behavior on input route processing wrt. how we decide whether
to emit a redirect or not.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ