PDA

View Full Version : SLES 11 SP3 How to check if DCCP protocol is enabled in SLES SPx?



manpreetsingh
25-Feb-2017, 16:54
For CVE-2017-6074, I want to check if DCCP protocol is enabled in my system.
As per the information available at https://www.suse.com/support/kb/doc/?id=7018645, DCCP protocol does not get installed in SLES 11 by default.
But how can I confirm this?

malcolmlewis
25-Feb-2017, 18:47
On Sat 25 Feb 2017 04:04:02 PM CST, manpreetsingh wrote:

For CVE-2017-6074, I want to check if DCCP protocol is enabled in my
system.
As per the information available at
https://www.suse.com/support/kb/doc/?id=7018645, DCCP protocol does not
get installed in SLES 11 by default.
But how can I confirm this?




Hi
Do you have the 'extra' module repository active?

Check for a blacklist entry in /etc/modprobe.d/


fgrep -r "dccp" /etc/modprobe.d/*


Check with netstat for the dccp ports from the output of;


cat /etc/services |grep dccp


Search with zypper for dccp, if it's installed, then remove and add a
lock with zypper.


zypper se dccp
zypper rm <package_name>
zypper al <package_name>


Finally add a blacklist entry in /etc/modprobe.d/99-local.conf and run
mkinitrd.

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.36-44-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

manpreetsingh
26-Feb-2017, 16:39
Hi
Do you have the 'extra' module repository active?

NO

Check for a blacklist entry in /etc/modprobe.d/


fgrep -r "dccp" /etc/modprobe.d/*


NO Output

Check with netstat for the dccp ports from the output of;


cat /etc/services |grep dccp


No ports are open.

Search with zypper for dccp, if it's installed, then remove and add a
lock with zypper.


zypper se dccp
zypper rm <package_name>
zypper al <package_name>


No output for "zypper se dccp"

Finally add a blacklist entry in /etc/modprobe.d/99-local.conf and run
mkinitrd.

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.36-44-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

Thanks for your help.

berndgsflinux
09-Mar-2017, 15:18
Hi Malcom,

i still have some systems with SLES 10 SP4. It seems that DCCP is implemented as a kernel module:


pc53200:/var/lib/mysql/backup # zgrep -i dccp /proc/config.gz
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# DCCP Configuration (EXPERIMENTAL)
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
# DCCP CCIDs Configuration (EXPERIMENTAL)
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# DCCP Kernel Hacking
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_IP_DCCP_UNLOAD_HACK is not set

pc53200:/var/lib/mysql/backup # lsmod|grep -i dccp
pc53200:/var/lib/mysql/backup #

Does that mean that i'm not vulnerable ?

If i understand https://en.wikipedia.org/wiki/Datagram_Congestion_Control_Protocol correctly, it does not use neither tcp nor udp. So it can't be visible with netstat ?

Executing the other steps you mentioned does not give any hint to dccp.

Bernd

malcolmlewis
09-Mar-2017, 15:45
On Thu 09 Mar 2017 02:24:01 PM CST, berndgsflinux wrote:

Hi Malcom,

i still have some systems with SLES 10 SP4. It seems that DCCP is
implemented as a kernel module:


Code:
--------------------
pc53200:/var/lib/mysql/backup # zgrep -i dccp /proc/config.gz
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# DCCP Configuration (EXPERIMENTAL)
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
# DCCP CCIDs Configuration (EXPERIMENTAL)
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# DCCP Kernel Hacking
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_IP_DCCP_UNLOAD_HACK is not set

pc53200:/var/lib/mysql/backup # lsmod|grep -i dccp
pc53200:/var/lib/mysql/backup #
--------------------


Does that mean that i'm not vulnerable ?

If i understand
https://en.wikipedia.org/wiki/Datagram_Congestion_Control_Protocol
correctly, it does not use neither tcp nor udp. So it can't be visible
with netstat ?

Executing the other steps you mentioned does not give any hint to dccp.

Bernd




Hi
So if you try modprobe dccp does it appear in the output of lsmod? I'm
guessing yes (since it's configured as a loadable module), so unless an
admin loads it, it won't get used...

So, you could blacklist it, or setup a cron job to check and delete the
module(s) if there;



ls /lib/modules/`uname -r`/kernel/net/dccp



--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.36-44-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!