RFC: disable SCTP in Debian's kFreeBSD?

To: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Cc: 754237@bugs.debian.org
Subject: RFC: disable SCTP in Debian's kFreeBSD?
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Wed, 09 Jul 2014 01:26:22 +0100
Message-id: <[🔎] 53BC8C2E.30501@pyro.eu.org>

Hi,

SCTP, an IP transport protocol, is enabled by default in upstream
FreeBSD's GENERIC config:

> # SCTP is a NEW transport protocol defined by
> # RFC2960 updated by RFC3309 and RFC3758 [...]
> options         SCTP

(Although RFC2960 was published in 2000, so it is not so new any more.)
 To date I've never configured SCTP on any servers before, or knowingly
used it on any other systems.  "The SCTP web site", sctp.org, had no
news entries after 2004 and seems to have gone offline.

Linux has SCTP support.  Debian has some command-line tools for that and
a library, each with around 5000 popcon users:
https://qa.debian.org/popcon.php?package=lksctp-tools

FreeBSD's SCTP support seems to be a reference implementation by Cisco.
 Another implementation by the KAME Project had an OpenBSD port, but
seems that never quite made it into the tree.

Support for SCTP seems notably missing from Microsoft Windows:
https://stackoverflow.com/questions/2153700

There exists some backward-compatibility mechanism to run SCTP over UDP
sockets if that's needed.


In wheezy, we've patched a kernel memory disclosure vulnerability that
was remotely exploitable if SCTP sockets were used. (CVE-2013-5209)

STABLE-9 quietly fixed jailed processes being able to see or use SCTP
source addresses that should not have been available to them:
http://svnweb.freebsd.org/base?view=revision&amp;revision=267674

We now have a local kernel memory disclosure bug (CVE-2014-3953) - I'm
unsure if SCTP must be in use to exploit it - but the patch will not
apply cleanly to 9.0 and 8.3 that we have in wheezy, so would need
backporting by us.


I wonder if it is worth it?  Is SCTP really used by us, even close to
working or desirable to anyone?

A search for Debian packages with "sctp" in the name shows binary
packages that have only built on linux-any arches:
https://packages.debian.org/search?keywords=sctp

I've used Debian Code Search to look for potential users:
http://codesearch.debian.net/search?q=include.*sctp\.h
and found these:
* openssl - is disabled by OPENSSL_NO_SCTP, which is default
* iceweasel/icedove - kfreebsd buildd logs don't mention it, linux does
* libav - I don't see any mention in the buildd log
* chromium-browser - wasn't in wheezy
* openjdk-7 - wasn't in wheezy

* about a dozen other packages I thought were less interesting than the
above, didn't bother to check if SCTP was really implemented/supported

* SCTP was mentioned in lots of network diagnostic tools e.g. wireshark,
nmap, ns2 - but what is the point of that if not using the protocol for
anything?


So I'm obviously asking here - could we just drop SCTP from the default
kernel config?  In jessie/sid?  Even in wheezy-security?

Thanks for reading!
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Prev by Date: Processed: kfreebsd-9: sockbuf CMSG kernel memory disclosure (CVE-2014-3952)
Next by Date: Re: Heads up: transition: xserver 1.16
Previous by thread: Processed: kfreebsd-9: sockbuf CMSG kernel memory disclosure (CVE-2014-3952)
Next by thread: Re: Heads up: transition: xserver 1.16
Index(es):
- Date
- Thread