Desktop/Whiteboards/AvahiDefault

From FedoraProject

< Desktop | Whiteboards(Difference between revisions)
Jump to: navigation, search
(Add comment from SteveGrubb)
(Unbork redundancy)
 
(9 intermediate revisions by one user not shown)
Line 23: Line 23:
 
We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.  
 
We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.  
  
=== Privacy: PTR and HINFO records ===
+
=== Privacy: HINFO records ===
  
 
By default Avahi publishes the following information.
 
By default Avahi publishes the following information.
Line 30: Line 30:
 
* CPU architecture, and system type (HINFO records)
 
* CPU architecture, and system type (HINFO records)
  
Recommendation: Don't publish anything unless specifically approved by the user.
+
'''Recommendation''': Don't publish anything unless specifically approved by the user.
 +
 
 +
'''Resolution''': Lennart changed the defaults in avahi. [http://git.0pointer.de/?p=avahi.git;a=commit;h=530fbb59abafb970ef1dd8f61571b13fb0918b23] [http://git.0pointer.de/?p=avahi.git;a=commit;h=468519681b09f00851e1d4dd658b939e4e938cf6]
 +
 
 +
=== Privacy: Host name ===
 +
 
 +
By default Avahi publishes the host name.
 +
 
 +
DHCP does the same thing. By joining a new network (eg: wireless) the user shares their host name with that network.
 +
 
 +
If a technical user disables DHCP on their machine for security reasons, they can also disable Avahi.
 +
 
 +
'''Recommendation''': Not a problem. No more of a problem than DHCP.
 +
 
 +
'''Resolution''': Enabling avahi by default does not cause further advertising of host name.
  
 
=== Privacy: SSH service ===
 
=== Privacy: SSH service ===
Line 36: Line 50:
 
Installed by avahi package on Fedora.
 
Installed by avahi package on Fedora.
  
Recommendation: Only advertise over Avahi when service is enabled. When service is enabled allow through firewall. Disable service by default.
+
'''Recommendation''': Only advertise over Avahi when service is enabled. When service is enabled allow through firewall. Disable service by default. [https://bugzilla.redhat.com/show_bug.cgi?id=809239]
  
 
=== Privacy: libvirt service ===
 
=== Privacy: libvirt service ===
Line 42: Line 56:
 
virt-manager can connect to it and show you the VM available on the remote system: http://virt-manager.org/page/LibvirtDiscovery
 
virt-manager can connect to it and show you the VM available on the remote system: http://virt-manager.org/page/LibvirtDiscovery
  
Recommendation: Disable remote VM access and discovery by default
+
'''Recommendation''': Disable remote VM access and discovery by default
 +
 
 +
'''Resolution''': Now disabled in libvirt by default. [http://libvirt.org/git/?p=libvirt.git;a=commit;h=53e1d56dd468e945ad311f46221a357dffda787b]
  
 
=== Privacy: udisks service ===
 
=== Privacy: udisks service ===
  
Already removed in udisks2
+
'''Resolution''': Already removed in udisks2
  
 
=== Unnecessary attack vector: browse-domains ===
 
=== Unnecessary attack vector: browse-domains ===
  
 
From the man page it's just not clear what "browse-domains" actually does, but based on http://0pointer.de/blog/projects/avahi-wide-area.html and some experiments this seems to add more hosts that can be offered automatically by a GUI.  The default <code>browse-domains=0pointer.de, zeroconf.org</code> should probably be disabled - it's very unlikely these entries will be useful, and it just adds more ways to attack the code (in particular, by a MITM that is not connected to the local network).
 
From the man page it's just not clear what "browse-domains" actually does, but based on http://0pointer.de/blog/projects/avahi-wide-area.html and some experiments this seems to add more hosts that can be offered automatically by a GUI.  The default <code>browse-domains=0pointer.de, zeroconf.org</code> should probably be disabled - it's very unlikely these entries will be useful, and it just adds more ways to attack the code (in particular, by a MITM that is not connected to the local network).
 +
 +
'''Recommendation''': Remove browse-domains configured by default.
 +
 +
'''Resolution''': Now removed by in avahi default configuration. [http://git.0pointer.de/?p=avahi.git;a=commit;h=938b5f883fbaa642e3acb7720e37f95f3d72be62]
  
 
=== Possible Security: nsswitch.conf integration ===
 
=== Possible Security: nsswitch.conf integration ===
Line 61: Line 81:
  
 
In addition, if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.
 
In addition, if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.
 +
 +
'''Recommendation''': Since this only affects <code>.local</code> domains, which are explicitly provided by zeroconf, this is not a security issue. If specific networks make the risky move of reappropriating <code>.local</code> for other purposes, they can deal with the consequences as appropriate to their situation.
 +
 +
'''Resoultion''': Theoretical issues sufficiently mitigated.
  
 
=== Possible Security: High range port ===
 
=== Possible Security: High range port ===
  
 
mDNS is on port 5353 which requires no permissions to bind to. So, any malicious user on the network can advertise they are the printer and intercept any printing and the forward it to the real printer. Doesn't IPP allow discovery? Its on port 631 which means you have a little more  trust. Sure, you can still have a mailicious user running his own OS and having root access. But at least you moved the attack from anyone can do it to they have to be in control of their system. -- SteveGrubb
 
mDNS is on port 5353 which requires no permissions to bind to. So, any malicious user on the network can advertise they are the printer and intercept any printing and the forward it to the real printer. Doesn't IPP allow discovery? Its on port 631 which means you have a little more  trust. Sure, you can still have a mailicious user running his own OS and having root access. But at least you moved the attack from anyone can do it to they have to be in control of their system. -- SteveGrubb
 +
 +
* Obviously on a network you are physically at, it's extremely hard to prevent a device that the attacker has root access on. But I understand that for remote unprivileged access to a machine on a network, it's undesirable for a malicious user to advertise a printer. -- StefWalter
 +
* However it's important to note here, that they cannot advertize just *any* DNS record via mDNS. mDNS strictly operates on ZeroConf <code>.local</code> domains and Avahi enforces this. So they cannot advertise they are the printer, and intercept printing to another network printer. -- StefWalter
 +
 +
'''Resoultion''': Theoretical issues sufficiently mitigated.
 +
 +
=== Modifying iptables ===
 +
 +
One of the objections is that it used to change iptables settings on startup.
 +
Not sure if that was removed. -- SteveGrubb
 +
 +
* There's no code like this there. Lennart doesn't recall any such code. -- Stef Walter
 +
* Perhaps it was patched in by someone? Anyway, I agree that avahi shouldn't be doing this, and it currently doesn't. -- Lennart
 +
 +
'''Resolution''': Not an issue.

Latest revision as of 15:54, 10 April 2012

Contents

[edit] Avahi by Default on the Desktop

Note: this is not a place to gather opinions, but please do contribute with actual facts or research.

[edit] Use case

  • User is in at home or in a print shop (like Kinkos) and wants to print to a printer for the first time.
  • Opens "Printers" in System Settings to add a new printer.
  • The printer is advertised using MDNS and user sees it displayed, clicks on it to install.

Currently this does not work in Fedora. Avahi is blocked by our firewall by default. Obviously many printers don't use MDNS. This is about MDNS and our implementation: Avahi.

Note that a firewall is orthogonal this use case, even if security "zones" were implemented. We want printers to be discoverable from the "Printers" control panel even on possibly "hostile" networks. The user should not have to type their root or login password for a policy kit prompt to see printers on the network. Neither should they have to disable their firewall or otherwise diddle it.

[edit] Goal

If the current implementation of automatic printer discovery using MDNS is not secure, it should be possible to make it secure and make the above use case work. If it is absolutely impossible to make it secure, then we want to discover exactly why.

[edit] Privacy and Security Issues

Running Avahi by default, in its current state, causes security and privacy issues.

We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.

[edit] Privacy: HINFO records

By default Avahi publishes the following information.

  • Host name
  • CPU architecture, and system type (HINFO records)

Recommendation: Don't publish anything unless specifically approved by the user.

Resolution: Lennart changed the defaults in avahi. [1] [2]

[edit] Privacy: Host name

By default Avahi publishes the host name.

DHCP does the same thing. By joining a new network (eg: wireless) the user shares their host name with that network.

If a technical user disables DHCP on their machine for security reasons, they can also disable Avahi.

Recommendation: Not a problem. No more of a problem than DHCP.

Resolution: Enabling avahi by default does not cause further advertising of host name.

[edit] Privacy: SSH service

Installed by avahi package on Fedora.

Recommendation: Only advertise over Avahi when service is enabled. When service is enabled allow through firewall. Disable service by default. [3]

[edit] Privacy: libvirt service

virt-manager can connect to it and show you the VM available on the remote system: http://virt-manager.org/page/LibvirtDiscovery

Recommendation: Disable remote VM access and discovery by default

Resolution: Now disabled in libvirt by default. [4]

[edit] Privacy: udisks service

Resolution: Already removed in udisks2

[edit] Unnecessary attack vector: browse-domains

From the man page it's just not clear what "browse-domains" actually does, but based on http://0pointer.de/blog/projects/avahi-wide-area.html and some experiments this seems to add more hosts that can be offered automatically by a GUI. The default browse-domains=0pointer.de, zeroconf.org should probably be disabled - it's very unlikely these entries will be useful, and it just adds more ways to attack the code (in particular, by a MITM that is not connected to the local network).

Recommendation: Remove browse-domains configured by default.

Resolution: Now removed by in avahi default configuration. [5]

[edit] Possible Security: nsswitch.conf integration

Unclear if this is a security problem.

With the nsswitch.conf integration, MDNS can affect the resolv lookups on the machine. This is limited to .local domains, and domains explicitly configured in avahi for MDNS.

In theory, changing the results of resolver lookups can be a limited security threat, when running on a hostile network. However this is limited to .local by default.

In addition, if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.

Recommendation: Since this only affects .local domains, which are explicitly provided by zeroconf, this is not a security issue. If specific networks make the risky move of reappropriating .local for other purposes, they can deal with the consequences as appropriate to their situation.

Resoultion: Theoretical issues sufficiently mitigated.

[edit] Possible Security: High range port

mDNS is on port 5353 which requires no permissions to bind to. So, any malicious user on the network can advertise they are the printer and intercept any printing and the forward it to the real printer. Doesn't IPP allow discovery? Its on port 631 which means you have a little more trust. Sure, you can still have a mailicious user running his own OS and having root access. But at least you moved the attack from anyone can do it to they have to be in control of their system. -- SteveGrubb

  • Obviously on a network you are physically at, it's extremely hard to prevent a device that the attacker has root access on. But I understand that for remote unprivileged access to a machine on a network, it's undesirable for a malicious user to advertise a printer. -- StefWalter
  • However it's important to note here, that they cannot advertize just *any* DNS record via mDNS. mDNS strictly operates on ZeroConf .local domains and Avahi enforces this. So they cannot advertise they are the printer, and intercept printing to another network printer. -- StefWalter

Resoultion: Theoretical issues sufficiently mitigated.

[edit] Modifying iptables

One of the objections is that it used to change iptables settings on startup. Not sure if that was removed. -- SteveGrubb

  • There's no code like this there. Lennart doesn't recall any such code. -- Stef Walter
  • Perhaps it was patched in by someone? Anyway, I agree that avahi shouldn't be doing this, and it currently doesn't. -- Lennart

Resolution: Not an issue.