[Triumf-linux-managers] kernel vulnerability

Andrew Daviel advax at triumf.ca
Sun Aug 16 15:26:28 PDT 2009 

On Fri, 14 Aug 2009, Kelvin Raywood wrote:

> Note this vulnerability can only be exploited by someone who can already 
> login as a normal user.  If you are concerned about this, then you should 
> follow one of the following recommendations.

Or who is able to leverage another vulnerability in an application, e.g. 
Adobe reader or the Flash plugin. But hackers don't seem to bother trying 
this - I think it's too much work, and exploits have to be targetted at 
particular kernel versions. Easier to go after XP users.

It sounds like the vulnerability is potentially in lots of kernel 
modules, but the current exploits are against Bluetooth and PPP modules.
Most desktops and servers don't use these, and they can be safely 
disabled:

# service bluetooth stop ; chkconfig bluetooth off
# service isdn stop ; chkconfig isdn off
# chkconfig irda off

The Logitech deNovo bluetooth keyboards in the conference rooms don't use 
the Linux bluetooth service (in fact, I think it interferes). Some people 
might possibly have other Bluetooth keyboards, headsets etc. which use 
the service; if so, you should assess the risk of the local exploit vs. 
required functionality.

Some people may use PPP for dialup, or for accessing the Internet via 
cellphone connections. Again, you should assess the risk.
IRDA may be used to control your TV from your laptop :-)
Appletalk may be used by people with Apple networks.

On my Fedora 9 system, modules.conf seems to be replaced by
/etc/modules.d/*
I believe any file in there will work to list disabled modules, as per 
the Redhat advisory. I created /etc/modules.d/blocks with

install pppox /bin/true
install bluetooth /bin/true
install isdn /bin/true
install ipx /bin/true
install appletalk /bin/true
install sctp /bin/true
install irda /bin/true
install ax25 /bin/true

These entries prevent the module being installed by modprobe. It's best 
to disable the service too, with chkconfig, otherwise it may get 
confusing.
The TRIUMF RPM disables only modules used by RedHat Enterprise, viz.
pppox, bluetooth, sctp. I think I've seen isdn enabled on a couple of 
systems.



SCTP seems to be used by ip6tables, but only I think if connection 
tracking is enabled. We don't use IPv6 (yet). But it is recommended to 
keep ipv6tables running as IPv6 can be a backdoor around IPv4 firewalls. 
IPv6 is generally enabled in modern Linux distros, even if it doesn't 
route anywhere yet in most of North America.

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the Triumf-linux-managers mailing list