Hello development folks,
just to make sure I am not about to submit another breaking patch: Is there any legitimate reason why a non-privileged user shall load kernel modules on an IPFire machine during its runtime?
Personally, I am only aware of some connection tracking stuff, but these require a reboot, thus being out of scope. Unless I overlooked something else, I would like to file a patch turning dev.tty.ldisc_autoload to 0. :-)
(Further information is available at https://lkml.org/lkml/2019/4/15/890)
Thanks, and best regards, Peter Müller
Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also: - https://lkml.org/lkml/2019/4/15/890 - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0 + # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2
This does not exist before kernel 5.1.
-Michael
On 5 Oct 2020, at 20:45, Peter Müller peter.mueller@ipfire.org wrote:
Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also:
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2
-- 2.26.2
Hello Michael,
grmpf, overlooked some patched distribution kernel again. :-/
Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...
Thanks, and best regards, Peter Müller
This does not exist before kernel 5.1.
-Michael
On 5 Oct 2020, at 20:45, Peter Müller peter.mueller@ipfire.org wrote:
Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also:
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2
-- 2.26.2
Hello Michael,
it seems as the kernel folks backported this into 4.14.x by now:
[root@maverick ~]# uname -a Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux [root@maverick ~]# sysctl dev.tty.ldisc_autoload dev.tty.ldisc_autoload = 1
Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-)
Thanks, and best regards, Peter Müller
Hello Michael,
grmpf, overlooked some patched distribution kernel again. :-/
Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...
Thanks, and best regards, Peter Müller
This does not exist before kernel 5.1.
-Michael
On 5 Oct 2020, at 20:45, Peter Müller peter.mueller@ipfire.org wrote:
Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also:
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2
-- 2.26.2
Okay, merged.
On 2 Apr 2021, at 20:30, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
it seems as the kernel folks backported this into 4.14.x by now:
[root@maverick ~]# uname -a Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux [root@maverick ~]# sysctl dev.tty.ldisc_autoload dev.tty.ldisc_autoload = 1
Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-)
Thanks, and best regards, Peter Müller
Hello Michael,
grmpf, overlooked some patched distribution kernel again. :-/
Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...
Thanks, and best regards, Peter Müller
This does not exist before kernel 5.1.
-Michael
On 5 Oct 2020, at 20:45, Peter Müller peter.mueller@ipfire.org wrote:
Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also:
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2
-- 2.26.2
Hello,
We have talked about this on the phone, but just for the record:
No, there is no reason for this. We load kernel modules at runtime, but only root does that. AFAIK there is no unprivileged user loading anything whatsoever.
-Michael
On 5 Oct 2020, at 17:07, Peter Müller peter.mueller@ipfire.org wrote:
Hello development folks,
just to make sure I am not about to submit another breaking patch: Is there any legitimate reason why a non-privileged user shall load kernel modules on an IPFire machine during its runtime?
Personally, I am only aware of some connection tracking stuff, but these require a reboot, thus being out of scope. Unless I overlooked something else, I would like to file a patch turning dev.tty.ldisc_autoload to 0. :-)
(Further information is available at https://lkml.org/lkml/2019/4/15/890)
Thanks, and best regards, Peter Müller
-
Michael Tremer -
Peter Müller