| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 May 2023 13:32:02 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Jeffrey E Altman' <jaltman@...istor.com>, Kenny Ho <y2kenny@...il.com> CC: Andrew Lunn <andrew@...n.ch>, Marc Dionne <marc.dionne@...istor.com>, Kenny Ho <Kenny.Ho@....com>, David Howells <dhowells@...hat.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, "Jakub Kicinski" <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "linux-afs@...ts.infradead.org" <linux-afs@...ts.infradead.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: RE: [PATCH] Remove hardcoded static string length From: Jeffrey E Altman > Sent: 27 May 2023 16:09 > > On 5/25/2023 11:37 AM, Kenny Ho wrote: > > On Thu, May 25, 2023 at 11:04 AM David Laight<David.Laight@...lab.com> wrote: > >>> "The standard formulation seems to be: <project> <version> built > >>> <yyyy>-<mm>-<dd>" > >> Which I don't recall the string actually matching? > >> Also the people who like reproducible builds don't like __DATE__. > > That's correct, it was not matching even when it was introduced. I am > > simply taking that as people caring about the content and not simply > > making rxrpc_version_string == UTS_RELEASE. The current format is: > > > > "linux-" UTS_RELEASE " AF_RXRPC" > > > > Kenny > > The RX_PACKET_TYPE_VERSION query is issued by the "rxdebug <host> <port> > -version" command which prints the received string to stdout. It has > also been used some implementations to record the version of the peer. > Although it is required that a response to the RX_PACKET_TYPE_VERSION > query be issued, there is no requirement that the returned string > contain anything beyond a single NUL octet. Does that mean that the zero-padding/truncation to 65 bytes is bogus? Additionally is the response supposed to the '\0' terminated? The existing code doesn't guarantee that at all. > Although it is convenient to be able to remotely identify the version of > an Rx implementation, there are good reasons why this information should > not be exposed to an anonymous requester: > > 1. Linux AF_RXRPC is part of the kernel. As such, returning > UTS_RELEASE identifies to potential attackers the explicit kernel > version, architecture and perhaps distro. As this query can be > issued anonymously, this provides an information disclosure that can > be used to target known vulnerabilities in the kernel. I guess it could even be used as a probe to find more/interesting systems to attack once inside the firewall. > 2. The RX_PACKET_TYPE_VERSION reply is larger than the query by the > number of octets in the version data. As the query is received via > udp with no reachability test, it means that the > RX_PACKET_TYPE_VERSION query/response can be used to perform an 3.3x > amplification attack: 28 octets in and potentially 93 octets out. > > With my security hat on I would suggest that either AF_RXRPC return a > single NUL octet or the c-string "AF_RXRPC" and nothing more. Is there any point including "AF_RXRPC"? It is almost certainly implied by the message format. Or the exact text from the standard - which might be: "version string - to be supplied by O.E.M." (I've seen hardware versions with strings like the above that exactly match the datasheet....) Limiting the version to (eg) 6.2 would give a hint to the capabilities/bugs without giving away all the relative addresses in something like a RHEL kernel. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists