Re: Still learning! (kernel help)

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Wed Jan 04 2006 - 12:05:02 AKST

On Wed, 4 Jan 2006, Jamie Hushower wrote:

> I am curious and interested in the vulnerabilities you insinuate when a stock
> kernel is used. Assume that all unnecessary services are stopped and a
> firewall is in place. Also assume good encryption and strong passwords for SSH
> access. How does having a lot of options compiled into the kernel increase
> attack vectors? Mind, I'm not arguing; I'm ignorant. I have supported running
> stock kernels with all of the modules because it has allowed me to save *at
> least* 3 clients in that I moved a hard drive from one (damaged) server to
> another and had no issues getting the OS to boot and recognize all hardware.
> Is the danger only present when users are granted shell access? I have not
> administered any Linux servers except those that offer access of the non-shell
> variety (http, smtp, smb, etc.)

As I mentioned from a previous post: if you have a large number of disparate
hardware in whiteboxes to support then your approach may be a necessary evil.

The majority of vulnerabilities in software in general are not remotely
exploitable, so giving a shell to any user increases your risk exponentially.
But if you're running *any* network service that could possibly be vulnerable
to buffer overflows, etc., a local exploit could become remotely accessible.

Do all servers need USB support? This one is tricky, since so many are now
using USB for HID, but on older systems I never enabled USB, which would have
protected one from the URB DoS attack.

If users have physical access to the machine and can mount arbitrary
devices (USB, CDROM, etc.) there's been several filesystem DoS attacks as
well. Why leave every filesystem enabled as modules?

Have bluetooth support and tools installed? There was a local exploit to gain
root w/bluez_sock_create() via socket() or socket_pair(). And so on...

The good news is that Linux in general is robust enough that many of these
exploits have a specific set of conditions that need to be met before you're
vulnerable. But even so, having support for stuff you have no intention of
using can be dangerous. You may even inadverdantly load some of those modules
yourself. I'd wager that there's a least a few of you with IPv6 modules in
memory just because some of your tools and/or daemons are autoprobing for IPv6
interfaces to listen on. That stack has had some vulnerabilities as well,
though luckily most, if not all, require an IPv6 interface to actually be
configured.

Just my $.02, but after adjusting for inflation it's not even worth that...

         --Arthur Corliss
           Bolverk's Lair -- http://arthur.corlissfamily.org/
           Digital Mages -- http://www.digitalmages.com/
           "Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jan 4 12:05:22 2006

This archive was generated by hypermail 2.1.8 : Wed Jan 04 2006 - 12:05:22 AKST