Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On Mon, June 27, 2016 12:29, Gordon Messmer wrote: > On 06/26/2016 01:50 PM, James B. Byrne wrote: >> However, all I am seeking is knowledge on how to handle this using >> iptables. I am sure that this defect/anomaly has already been >> solved wherever it is an issue. Does anyone have an example on >> how to do this? > > > I think the bit you're missing is that you don't have to address every > detail that your auditors send you. You can label an item a false > positive. You can respond that you are aware, and that you don't > consider an item to be a security defect. Fingerprinting is an > excellent example thereof. As was already noted, the IP ID field is > just one of many aspects of IP networking that can be used to identify > Linux systems. If you don't address them all, addressing one is not a > useful exercise. I understand WRT false positive flagging. And that is exactly what I have done. However, the PCI DSS report piqued my interest in this matter and I thought to satisfy my curiosity. The other stuff flagged in the report seemed a little far-fetched to me. At least the explanation of why they were flagged did. As none of them affect our PCI status I have no interest in the rest. This one however I was previously unaware and so I wanted to discover more about it. Thank you for the information and especially for the references. Sincerely, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On 06/26/2016 01:50 PM, James B. Byrne wrote: However, all I am seeking is knowledge on how to handle this using iptables. I am sure that this defect/anomaly has already been solved wherever it is an issue. Does anyone have an example on how to do this? I think the bit you're missing is that you don't have to address every detail that your auditors send you. You can label an item a false positive. You can respond that you are aware, and that you don't consider an item to be a security defect. Fingerprinting is an excellent example thereof. As was already noted, the IP ID field is just one of many aspects of IP networking that can be used to identify Linux systems. If you don't address them all, addressing one is not a useful exercise. Still, if you enjoy jumping through hoops, there used to be a few options to do this: https://nmap.org/misc/defeat-nmap-osdetect.html The comment you quoted did not say that the field could be mangled by iptables, and as far as I can tell, no module is available to mangle that field. http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE And if none of those are acceptable, then consider upgrading to a newer system. Fyodor says that recent versions of Linux no longer behave this way. http://seclists.org/bugtraq/2002/Mar/372 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On Fri, June 24, 2016 12:24, John R Pierce wrote: > On 6/24/2016 9:20 AM, James B. Byrne wrote: >> We received a notice from our pci-dss auditors respecting this: >> >> CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps >> the >> IP Identification field at 0 for all non-fragmented packets, which >> could allow remote attackers to determine that a target system is >> running Linux. > > > 2.4 kernels are kinda old. kinda really really old.are you still > running CentOS 4 on PCI audited systems ?!?? > > The CVE is from 2002 and the kernel mentioned refers to the original report. Linux core team said it was a non-problem and the issue remains in the kernel found in CentOS-6.8. Possibly the one in 7. Perhaps it is still present in the development branch. However, all I am seeking is knowledge on how to handle this using iptables. I am sure that this defect/anomaly has already been solved wherever it is an issue. Does anyone have an example on how to do this? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On 6/24/2016 9:20 AM, James B. Byrne wrote: We received a notice from our pci-dss auditors respecting this: CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. 2.4 kernels are kinda old. kinda really really old.are you still running CentOS 4 on PCI audited systems ?!?? -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
We received a notice from our pci-dss auditors respecting this: CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. The NVD entry for which contains this note: CHANGE> [Cox changed vote from REVIEWING to NOOP] Cox> So I asked some kernel guys about this - it's not considered an issue. There are several other ways to identify Linux on the wire and people who care about this kind of thing rewrite their packets in various ways via firewall technology to trick the identifier programs. So, what packet mangling may be done in iptables to solve this without breaking udp transmission? I take it that we are talking about something in the prerouting chain but what kind of mangelling is safe? Is there an example somewhere? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
