lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240520165335899feIJEvG6iuT4f7FBU6ctk@zte.com.cn>
Date: Mon, 20 May 2024 16:53:35 +0800 (CST)
From: <ye.xingchen@....com.cn>
To: <davem@...emloft.net>
Cc: <edumazet@...gle.com>, <kuba@...nel.org>, <pabeni@...hat.com>,
        <corbet@....net>, <dsahern@...nel.org>, <ncardwell@...gle.com>,
        <soheil@...gle.com>, <haiyangz@...rosoft.com>, <lixiaoyan@...gle.com>,
        <ye.xingchen@....com.cn>, <mfreemon@...udflare.com>,
        <david.laight@...lab.com>, <netdev@...r.kernel.org>,
        <linux-doc@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <fan.yu9@....com.cn>, <he.peilin@....com.cn>, <xu.xin16@....com.cn>,
        <yang.yang29@....com.cn>, <yang.guang5@....com.cn>,
        <zhang.yunkai@....com.cn>
Subject: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP

From: YeXingchen <ye.xingchen@....com.cn>

The CVE-1999-0524 vulnerability is associated with ICMP
timestamp messages, which can be exploited to conduct 
a denial-of-service (DoS) attack. In the Vulnerability
Priority Rating (VPR) system, this vulnerability was 
rated as a medium risk in May of this year.
Link:https://www.tenable.com/plugins/nessus/10113

To protect embedded systems that cannot run firewalls
from attacks exploiting the CVE-1999-0524 vulnerability,
the icmp_timestamp_ignore_all sysctl is offered as 
an easy solution, which allows all ICMP timestamp
messages to be ignored, effectively bypassing the 
potential exploitation through the CVE-1999-0524 
vulnerability. It enables these resource-constrained
systems to disregard all ICMP timestamp messages,
preventing potential DoS attacks, making it an ideal
lightweight solution for such environments.

Signed-off-by: YeXingchen <ye.xingchen@....com.cn>
Reviewed-by: xu xin <xu.xin16@....com.cn>
Reviewed-by: zhang yunkai <zhang.yunkai@....com.cn>
Reviewed-by: Fan Yu <fan.yu9@....com.cn>
CC: he peilin <he.peilin@....com.cn>
Cc: Yang Yang <yang.yang29@....com.cn>
Cc: Yang Guang <yang.guang5@....com.cn>
---
v1->v2
fixes according to
https://lore.kernel.org/all/20240517172639229ec5bN7VBV7SGEHkSK5K6f@zte.com.cn/
1.fix the compile warning
2.change description.
 Documentation/networking/ip-sysctl.rst                 |  6 ++++++
 .../networking/net_cachelines/netns_ipv4_sysctl.rst    |  1 +
 include/net/netns/ipv4.h                               |  1 +
 include/uapi/linux/sysctl.h                            |  1 +
 net/ipv4/icmp.c                                        | 10 ++++++++++
 net/ipv4/sysctl_net_ipv4.c                             |  9 +++++++++
 6 files changed, 28 insertions(+)

diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index bd50df6a5a42..41eb3de61659 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -1441,6 +1441,12 @@ icmp_ratelimit - INTEGER

 	Default: 1000

+icmp_timestamp_ignore_all - BOOLEAN
+	If set non-zero, then the kernel will ignore all ICMP TIMESTAMP
+	requests sent to it.
+
+	Default: 0
+
 icmp_msgs_per_sec - INTEGER
 	Limit maximal number of ICMP packets sent per second from this host.
 	Only messages whose type matches icmp_ratemask (see below) are
diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
index 9b87089a84c6..ed72f67c8f72 100644
--- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
+++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -38,6 +38,7 @@ u8                              sysctl_icmp_ignore_bogus_error_responses
 u8                              sysctl_icmp_errors_use_inbound_ifaddr                                                
 int                             sysctl_icmp_ratelimit                                                                
 int                             sysctl_icmp_ratemask                                                                 
+u8                              sysctl_icmp_timestamp_ignore_all
 u32                             ip_rt_min_pmtu                               -                   -                   
 int                             ip_rt_mtu_expires                            -                   -                   
 int                             ip_rt_min_advmss                             -                   -                   
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index c356c458b340..7364c469e7eb 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -113,6 +113,7 @@ struct netns_ipv4 {
 	u8 sysctl_icmp_echo_ignore_broadcasts;
 	u8 sysctl_icmp_ignore_bogus_error_responses;
 	u8 sysctl_icmp_errors_use_inbound_ifaddr;
+	u8 sysctl_icmp_timestamp_ignore_all;
 	int sysctl_icmp_ratelimit;
 	int sysctl_icmp_ratemask;

diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
index 8981f00204db..ef8640947f4e 100644
--- a/include/uapi/linux/sysctl.h
+++ b/include/uapi/linux/sysctl.h
@@ -426,6 +426,7 @@ enum
 	NET_TCP_ALLOWED_CONG_CONTROL=123,
 	NET_TCP_MAX_SSTHRESH=124,
 	NET_TCP_FRTO_RESPONSE=125,
+	NET_IPV4_ICMP_TIMESTAMP_IGNORE_ALL = 126,
 };

 enum {
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index ab6d0d98dbc3..2047ca62b44e 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1152,6 +1152,13 @@ EXPORT_SYMBOL_GPL(icmp_build_probe);
 static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
 {
 	struct icmp_bxm icmp_param;
+	struct net *net;
+
+	net = dev_net(skb_dst(skb)->dev);
+
+	if (READ_ONCE(net->ipv4.sysctl_icmp_timestamp_ignore_all))
+		return SKB_NOT_DROPPED_YET;
+
 	/*
 	 *	Too short.
 	 */
@@ -1469,6 +1476,9 @@ static int __net_init icmp_sk_init(struct net *net)
 	net->ipv4.sysctl_icmp_echo_enable_probe = 0;
 	net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;

+	/* Control parameters for TIMESTAMP replies. */
+	net->ipv4.sysctl_icmp_timestamp_ignore_all = 0;
+
 	/* Control parameter - ignore bogus broadcast responses? */
 	net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 162a0a3b6ba5..b002426c3d9c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -651,6 +651,15 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= ipv4_ping_group_range,
 	},
+	{
+		.procname	= "icmp_timestamp_ignore_all",
+		.data		= &init_net.ipv4.sysctl_icmp_timestamp_ignore_all,
+		.maxlen		= sizeof(u8),
+		.mode		= 0644,
+		.proc_handler	= proc_dou8vec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE
+	},
 #ifdef CONFIG_NET_L3_MASTER_DEV
 	{
 		.procname	= "raw_l3mdev_accept",
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ