Joyent Cloud Firewall Advisory: For KVM Users with Firewall Enabled

Sean G. -

Joyent Cloud Firewall Advisory

Joyent engineers have discovered an issue with Cloud Firewall and KVM.

If you are not running KVM (Linux or Windows) instances or if you have not enabled Cloud Firewall, this vulnerability will not affect you at all.

If you are running one or more KVM instances with Cloud Firewall enabled, please note that Cloud Firewall does not currently handle IPv6. Both Linux and Windows enable IPv6 by default, so if you are using Linux or Windows VMs and have blocked ports using Cloud Firewall, those ports may still be open to other Linux or Windows VMs in the same data center, over the IPv6 link-local address. These ports are not accessible across Joyent Cloud data centers, and they are not accessible over the Internet.

Determining Whether a Service is Affected

Linux

Use the command ip -6 addr show to see if any interfaces are configured with IPv6 addresses. If there are no addresses listed, then the instance is not affected by this issue.

Use the netstat -l6 command to check for services that may be exposed:

root@3ed4c538-dadc-477b-9892-ddfa68433ca4:~# netstat -l6
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
udp6       0      0 [::]:9434               [::]:*
udp6       0      0 2001:db8::2:ntp         [::]:*
udp6       0      0 localhost:ntp           [::]:*
udp6       0      0 fe80::92b8:d0ff:fe4:ntp [::]:*
udp6       0      0 [::]:ntp                [::]:*
udp6       0      0 [::]:33207              [::]:*

Any services that are listed on [::] or addresses beginning with fe80:: are not adequately protected by Cloud Firewall alone. Services listening on localhost are not affected by this issue.

Windows

Use the command ipconfig /all | findstr IPv6 to see if any interfaces are configured with IPv6 addresses.

From command prompt or power shell, use the netstat -nap IPv6 command. Any services that are listed on [::] or addresses beginning with fe80:: (link-local), 2002 (6to4 tunnel) or 2001 (Global address or Toredo tunnel).

Mitigating Exposure of Services

Linux

Linux can be protected by one or more of the following methods:

  • Configure services to only listen on IPv4 addresses.
  • Disable IPv6 completely.
  • Use ip6tables to filter all IPv6 traffic.
  • Use ip6tables to filter individual ports.

Configure services to only listen on IPv4 addresses

In general, applications can be configured to listen to specific IPv4 addresses, or to 0.0.0.0. This will force the application to exclude IPv6. Consult the application documentation for specific details, or contact the application vendor and/or authors.

Disable IPv6 Completely

Add the following line to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1

And execute the following command:

sysctl -w net.ipv6.conf.all.disable_ipv6=1

Use the following command to verify that IPv6 has been disabled:

ip -6 addr show

If IPv6 has been properly disabled then no addresses will be listed.

Use ip6tables to Filter all IPv6 Traffic

Note that ip6tables rules do not persist reboots. You will need to execute the rules after every boot. The iptables-persistent package can help to ensure that packet filter rules are automatically loaded at boot time. Consult the iptables-persistent documentation for further information.

Execute the following:

ip6tables -P INPUT DROP

Use ip6tables to Filter Individual Ports

Note that ip6tables rules do not persist reboots. You will need to execute the rules after every boot. The iptables-persistent package can help to ensure that packet filter rules are automatically loaded at boot time. Consult the iptables-persistent documentation for further information.

To filter TCP port 80, execute the following. Substitute port 80 for the port you wish to filter:

ip6tables -I INPUT -p tcp --dport 80 -j DROP

To filter UDP port 123, execute the following. Substitute port 123 for the port you wish to filter:

ip6tables -I INPUT -p udp --dport 123 -j DROP

 

Windows

Note: Windows Firewall is enabled by default and does not allow traffic to IPv6 by default. Nevertheless, you may wish to verify Windows Firewall settings or disable IPv6.

Questions or Concerns

If any unanswered questions or concerns happen to arise while following the instructions above, please contact Joyent Support by emailing support@joyent.com or by submitting a request via https://help.joyent.com/home. If any additional necessary information comes to light, we will update this announcement accordingly.

Have more questions? Submit a request

0 Comments

Article is closed for comments.