Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] caclmgrd: remove permit source port 179 #9827

Merged
merged 1 commit into from
Feb 17, 2022
Merged

[Security] caclmgrd: remove permit source port 179 #9827

merged 1 commit into from
Feb 17, 2022

Conversation

bluecmd
Copy link
Contributor

@bluecmd bluecmd commented Jan 21, 2022
edited
Loading

Why I did it

Fixes #9916.

I detected that all traffic that uses a source port TCP/179 will be allowed with no option of disabling this.

An attacker can trivially send packets with any source port they wish, so this would allow bypassing any control plane ACL.

How I did it

I removed these statements. They appear to be for allowing BGP, but the needed rules are already present:

  • Allow destination port 179
  • Allow established connections

How to verify it

If this patch is wrong BGP would not work, so test BGP and see that it works.
Also, you can check in a running instance /without/ this patch that iptables -vnL shows that 0 packets have been accepted into the tcp spt:179 rule.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Reason: Security patch. caclmgrd was introduced in 202012 it seems.

Description for the changelog

caclmgrd: Remove explicit permit source port 179

A picture of a cute animal (not mandatory but encouraged)

image

@bluecmd
caclmgrd: remove permit source port 179
d47c9af 
Remove insecure opening of source port 179

Signed-off-by: Christian Svensson <[email protected]>
@bluecmd bluecmd requested a review from lguohan as a code owner January 21, 2022 18:19
@bluecmd
Copy link
Contributor Author

bluecmd commented Jan 27, 2022
edited
Loading

I managed to create an easy repro. With a loopback interface configured as 11.11.11.111/32 a normal nmap -sT 11.11.11.111 hits the DROP rule 224 11200 DROP all -- * * 0.0.0.0/0 11.11.11.111. Scan takes very long time and no results.

However, using sudo nmap -g 179 -sS 11.11.11.111 allows one to bypass all control plane ACLs:

Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-27 20:22 UTC
Nmap scan report for 11.11.11.111
Host is up (0.000064s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
179/tcp  open  bgp
443/tcp  open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 14.91 seconds

Iptables output:

Chain INPUT (policy ACCEPT 22132 packets, 1362K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 339M  123G ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0           
4019K  325M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
  297 97416 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:546:547
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:179
 1060 46640 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:179
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.0.0.11           
  224 11200 DROP       all  --  *      *       0.0.0.0/0            11.11.11.111

@bluecmd
Copy link
Contributor Author

bluecmd commented Feb 1, 2022

@yxieca as you are reviewing my other ACL PR, do you think you could review this one as well?

@yxieca yxieca requested a review from abdosi February 1, 2022 16:19
@bluecmd bluecmd mentioned this pull request Feb 4, 2022
Closed
@zhangyanzhao zhangyanzhao requested a review from prsunny February 16, 2022 16:55
@prsunny prsunny merged commit d540492 into sonic-net:master Feb 17, 2022
@ZhaohuiS ZhaohuiS mentioned this pull request Feb 21, 2022
Merged
4 tasks
@SuvarnaMeenakshi SuvarnaMeenakshi mentioned this pull request May 26, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yxieca yxieca yxieca approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@abdosi abdosi Awaiting requested review from abdosi

@prsunny prsunny Awaiting requested review from prsunny

Assignees
No one assigned
Labels
Security 🛡️
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security] caclmgrd always allows all control plane traffic sourced from port TCP/179
4 participants
@bluecmd @yxieca @zhangyanzhao @prsunny