Fragment attacks linux kernel 2.6.x series

[ninja123]

Can anybody tell me if tiny fragment and overlapping fragment attacks at the IP layer is completely blocked by linux kernel 2.6 series.

Also, what about Denial of service attacks for this kernel?

how secure are they?

Thanks a ton

[ken_yap]

You can't generalise across the 2.6 series. 2.6.18 is light-years different from say 2.6.27. If you really want to see what kernel bugs have been fixed, search for the CERT advisories on the 2.6 series. The best you can do is keep up to date with your vendor's patches.

Note that even if the latest is say 2.6.27 and the vendor is shipping 2.6.25, that doesn't mean it has a hole. Vendors usually stick with the same kernel version in a given release for stability reasons but backport security patches.

[ninja123]

ok let me frame it this way,

I have kernel 2.6.24.. is it prone to such attacks?

[ken_yap]

Let me put it this way: As far as most people know, and that would include all the networking experts on the Linux kernel list, the latest kernel is not vulnerable, and if a hole is discovered it would be plugged quickly. And that is the best that anybody can say.

Older kernels may be vulnerable, you would have to check the advisory list. But as I explained, even if uname -a shows that you are running an older kernel version, it doesn't mean it hasn't been patched by your vendor from the original release. So you cannot just go by the version displayed by uname -a. You would have to look at the patch history in the vendor packages.

Disappointed already? So sue me.

[ninja123]

ok so this means if at all it is vulnerable to a known attack it would be patched. is there a site/link where i can see what all attacks have been patched?? it is imp for me cos we are using this kernel in a module prone to network attacks and our buyers ask us if these attacks have been patched.

Thanks a ton.

[ken_yap]

Read the changelog of the kernel-default package. The security bugs are referenced by CVE numbers.

Code:

rpm -q --changelog kernel-default

If you are running kernel-pae, then substitute that.

[ninja123]

I checked it and hit upon one CVE. I realise that if the previous kernel versions were prone to such attacks they would have been fixed and hence perhaps this kernel may not have such info.

Well, I thought the netfilter of TCP/IP stack must have some parameters that can be set or reset to adjust security. If so where to look for these?? Isnt that the direct way? How would I know what checks ip_rcv() does on packets? where do i look for this code?

[ken_yap]

You start with the kernel version that was distributed originally with the distro release and consider all holes discovered up till that version fixed. Then you add in all the fixes in the changelog. That will be the status of the current package. If you have to dig further, then you have to fetch the kernel-source package with the last released version number and read it. Have fun.