Re: making Debian secure by default
On Wed, Mar 27, 2024 at 8:37 PM Lee <ler762@gmail.com> wrote:
>
> I just saw this advisory
> Escape sequence injection in util-linux wall (CVE-2024-28085)
> https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.
>
> Apparently the root of the security issue is that wall is a setguid program?
>
> Even more fun is the instructions
> To make sure the PoC will work, make sure your victim user can
> actually receive messages. First check that mesg is set to y
> (`mesg y`). If a user does not have mesg turned on, they are not
> exploitable.
>
> WTF?? I've never heard of a mesg, but
> $ which mesg
> /usr/bin/mesg
>
> So. There is a program called 'mesg', hrmmm..
> man mesg
> ...
> Traditionally, write access is allowed by default. However, as users
> become more conscious of various security risks, there is a trend to
> remove write access by default, at least for the primary login shell.
> To make sure your ttys are set the way you want them to be set, mesg
> should be executed in your login scripts.
>
> oof. Are there instructions somewhere on how to make Debian secure by default?
There are Security Technical Implementation Guides (STIG) for Red Hat,
Solaris, SUSE, and Ubuntu. Unfortunately, nothing for Debian. See
<https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=unix-linux>.
More generally, for Operating Systems, see
<https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems>.
Jeff
Reply to: