SIP protocol compatibility with ARC++ NAT |
|||||||||||
Issue descriptionInvestigate adding/improving conntrack helpers so that cleartest SIP (5060/udp and 5060/tcp on IPv4) works in ARC++. The primary use case is to make voice+video calls using the Cisco Jabber Android app.
,
Dec 7 2017
For this bug we're limiting the scope to on-prem mode. i.e. cleartext SIP control messages on 5060/udp or 5060/tcp. It is my recollection that edge mode uses SIP-TLS on 5061/udp or 5061/tcp. In that case we have to rely on the client using other NAT circumvention techniques, as the router won't be able to inspect the SIP control packets to figure out which ports to open.
,
Dec 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/76d362bf03f82544eee106ae53013f7754312a95 commit 76d362bf03f82544eee106ae53013f7754312a95 Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Dec 12 03:37:52 2017 FROMLIST: netfilter: nfnetlink_cthelper: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Link: https://patchwork.kernel.org/patch/10089373/ BUG=chromium:792264 TEST=buildbots Change-Id: I012eeeac3c8c019a95f5bebc0f0753ffdf709144 Reviewed-on: https://chromium-review.googlesource.com/810015 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/76d362bf03f82544eee106ae53013f7754312a95/net/netfilter/nfnetlink_cthelper.c
,
Dec 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/08071d874a9e13b07b81a2d2217fbc3e9cb47e3e commit 08071d874a9e13b07b81a2d2217fbc3e9cb47e3e Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Dec 12 03:37:51 2017 FROMLIST: netfilter: nfnetlink_cthelper: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Link: https://patchwork.kernel.org/patch/10089373/ BUG=chromium:792264 TEST=buildbots Change-Id: I012eeeac3c8c019a95f5bebc0f0753ffdf709144 Reviewed-on: https://chromium-review.googlesource.com/810013 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/08071d874a9e13b07b81a2d2217fbc3e9cb47e3e/net/netfilter/nfnetlink_cthelper.c
,
Dec 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c9f0c888797920fcbc3fe35419dfd0b1b888de4 commit 8c9f0c888797920fcbc3fe35419dfd0b1b888de4 Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Dec 12 16:37:40 2017 FROMLIST: netfilter: nfnetlink_cthelper: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Link: https://patchwork.kernel.org/patch/10089373/ BUG=chromium:792264 TEST=buildbots Change-Id: I012eeeac3c8c019a95f5bebc0f0753ffdf709144 Reviewed-on: https://chromium-review.googlesource.com/809963 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/8c9f0c888797920fcbc3fe35419dfd0b1b888de4/net/netfilter/nfnetlink_cthelper.c
,
Dec 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ac9e1c47aaa3003cff6ba3bfd2c16599e14595da commit ac9e1c47aaa3003cff6ba3bfd2c16599e14595da Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Dec 12 16:37:37 2017 FROMLIST: netfilter: nfnetlink_cthelper: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Link: https://patchwork.kernel.org/patch/10089373/ BUG=chromium:792264 TEST=buildbots Change-Id: I012eeeac3c8c019a95f5bebc0f0753ffdf709144 Reviewed-on: https://chromium-review.googlesource.com/810014 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/ac9e1c47aaa3003cff6ba3bfd2c16599e14595da/net/netfilter/nfnetlink_cthelper.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4ac7b89058133f7f0bd35efb7a7f31f0be2ba5a7 commit 4ac7b89058133f7f0bd35efb7a7f31f0be2ba5a7 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:09 2017 FROMGIT: netfilter: xt_osf: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from davem/net commit 916a27901de01446bcf57ecca4783f6cff493309) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I5a0f30d0386f816fe51aea7b24b07043b66da21d Reviewed-on: https://chromium-review.googlesource.com/825923 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/4ac7b89058133f7f0bd35efb7a7f31f0be2ba5a7/net/netfilter/xt_osf.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dd406748337cde4d1632180d872736462e91d8a2 commit dd406748337cde4d1632180d872736462e91d8a2 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:10 2017 FROMGIT: netlink: Add netns check on taps Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from davem/net commit 93c647643b48f0131f02e45da3bd367d80443291) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I2a67469e497046d983f54fb77c4931d5db65934d Reviewed-on: https://chromium-review.googlesource.com/825924 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/dd406748337cde4d1632180d872736462e91d8a2/net/netlink/af_netlink.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fd32647dac45262209af61c4f7b523ce8543fc10 commit fd32647dac45262209af61c4f7b523ce8543fc10 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:16 2017 FROMGIT: netfilter: xt_osf: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from davem/net commit 916a27901de01446bcf57ecca4783f6cff493309) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I5a0f30d0386f816fe51aea7b24b07043b66da21d Reviewed-on: https://chromium-review.googlesource.com/825774 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/fd32647dac45262209af61c4f7b523ce8543fc10/net/netfilter/xt_osf.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d08b2954036aa66355031e00f83a51c2b29d207b commit d08b2954036aa66355031e00f83a51c2b29d207b Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:18 2017 FROMGIT: netlink: Add netns check on taps Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from davem/net commit 93c647643b48f0131f02e45da3bd367d80443291) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I2a67469e497046d983f54fb77c4931d5db65934d Reviewed-on: https://chromium-review.googlesource.com/825775 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/d08b2954036aa66355031e00f83a51c2b29d207b/net/netlink/af_netlink.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bda427949c1d1a91412c35862fc7cce6b14a59b1 commit bda427949c1d1a91412c35862fc7cce6b14a59b1 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:20 2017 FROMGIT: netfilter: xt_osf: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from davem/net commit 916a27901de01446bcf57ecca4783f6cff493309) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I5a0f30d0386f816fe51aea7b24b07043b66da21d Reviewed-on: https://chromium-review.googlesource.com/825779 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/bda427949c1d1a91412c35862fc7cce6b14a59b1/net/netfilter/xt_osf.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d519d38540bb44770e6d24a48b928a4f80033f7b commit d519d38540bb44770e6d24a48b928a4f80033f7b Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:22 2017 FROMGIT: netlink: Add netns check on taps Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from davem/net commit 93c647643b48f0131f02e45da3bd367d80443291) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I2a67469e497046d983f54fb77c4931d5db65934d Reviewed-on: https://chromium-review.googlesource.com/825780 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/d519d38540bb44770e6d24a48b928a4f80033f7b/net/netlink/af_netlink.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/afff3c81f7c9d772959b92de27e7176e95d7c639 commit afff3c81f7c9d772959b92de27e7176e95d7c639 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:13 2017 FROMGIT: netfilter: xt_osf: Add missing permission checks The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from davem/net commit 916a27901de01446bcf57ecca4783f6cff493309) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I5a0f30d0386f816fe51aea7b24b07043b66da21d Reviewed-on: https://chromium-review.googlesource.com/825655 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/afff3c81f7c9d772959b92de27e7176e95d7c639/net/netfilter/xt_osf.c
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6c3ee3bca727cd88d92586bcb0cb9bef5485e911 commit 6c3ee3bca727cd88d92586bcb0cb9bef5485e911 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Dec 14 06:33:14 2017 FROMGIT: netlink: Add netns check on taps Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from davem/net commit 93c647643b48f0131f02e45da3bd367d80443291) BUG=chromium:792264 TEST=tested in a VM on a PC Change-Id: I2a67469e497046d983f54fb77c4931d5db65934d Reviewed-on: https://chromium-review.googlesource.com/825656 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/6c3ee3bca727cd88d92586bcb0cb9bef5485e911/net/netlink/af_netlink.c
,
Dec 16 2017
Removing Alberto from cc as I'll be helping on this front.
,
Dec 22 2017
Issue 797255 has been merged into this issue.
,
Dec 22 2017
The added permission checks fix a security issue (CVE-2017-17448).
,
Dec 22 2017
Issue 797257 has been merged into this issue.
,
Dec 22 2017
Also CVE-2017-17450
,
Dec 22 2017
Issue 797256 has been merged into this issue.
,
Dec 22 2017
... and CVE-2017-17449.
,
Dec 23 2017
cernekee: Uh oh! This issue still open and hasn't been updated in the last 16 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 23 2017
,
Dec 23 2017
,
Dec 23 2017
,
Dec 23 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by elitel...@gmail.com
, Dec 7 2017