Re: [vserver] Vserver Kernel Exploits

From: Adrian Reyer <are_at_lihas.de>
Date: Sun 19 Jan 2014 - 16:42:08 GMT
Message-ID: <20140119164207.GA15203@r2d2.s.lihas.de>

Hi Ted,

On Sun, Jan 19, 2014 at 09:55:22AM -0500, Ted Barnes wrote:
> 1) I'm running gnome including Firefox in my vserver guests . Is
> it a correct assumption that such a guest is susceptible to the
> types of kernel exploits that would allow an attacker to take
> control of the guest as root (e.g., maybe some sort of sql
> injenction off of an infected website)? I.e., does the guest
> architecture per se eliminate this sort of risk? Or is the best one
> can do is to use a current kernel, keep the guest patched etc.?

A VServer root is still root, just with limited capabilities. E.g.:
- No creating devices
- No loading modules
- No mounting of block devices
- No changing of network setup
In other words, it is much harder to hide as an attacker and to attack
the rest of the system.
You should keep current kernels to prevent the attacker from gaining
additional privileges and become a danger to the host. It compares a bit
to a virus scanner: if it is outdated, it is useless. Though on a quite
higher level to be exploited.

> 2) Should such an attack succeed, could the attacker then begin to
> attack other guests on the network?

Yes, they can do so as normal user as well. However, default settings
don't allow e.g. using tcpdump.

> 3) My guests are on a different subnet than the host. Should such
> an attack succeed in a guest, could it mount a successful attack on
> the host over the network if the host had iptables in place, was up
> to date in its patches etc.?

Depends on the attack and your setup. By default, locally generated
packets targetting local IP-Adresses will never leave the host. This is
different with e.g. network namespaces.

Regards,
        Adrian

-- 
LiHAS - Adrian Reyer - Hessenwiesenstraße 10 - D-70565 Stuttgart
Fon: +49 (7 11) 78 28 50 90 - Fax:  +49 (7 11) 78 28 50 91
Mail: lihas_at_lihas.de - Web: http://lihas.de
Linux, Netzwerke, Consulting & Support - USt-ID: DE 227 816 626 Stuttgart
Received on Sun Jan 19 16:42:31 2014
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 19 Jan 2014 - 16:42:31 GMT by hypermail 2.1.8