Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] NanoKVM is a router #197

Open
ValdikSS opened this issue Dec 9, 2024 · 1 comment
Open

[SECURITY] NanoKVM is a router #197

ValdikSS opened this issue Dec 9, 2024 · 1 comment

Comments

@ValdikSS
Copy link

ValdikSS commented Dec 9, 2024

NanoKVM v1.3.0 image (20241120_NanoKVM_Rev1_3_0.img.xz) comes with IPv4 and IPv6 routing enabled, with firewall accepting all routed connections unconditionally.

When IP forwarding is enabled, the device can potentially forward packets between different networks, which might expose internal network to unauthorized access or attacks.
https://www.tenable.com/plugins/nessus/50686

NanoKVM is not a router, hence this function should be disabled.

# sysctl -a 2>/dev/null | grep -E 'ip_forward|eth0.*forwarding'
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.eth0.forwarding = 1
# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# ip6tables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Forwarding is enabled by /etc/sysctl.d/99-tailscale.conf, which I assume is not necessary for the client configuration.

# cat /etc/sysctl.d/99-tailscale.conf 
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Workaround:

rm /etc/sysctl.d/99-tailscale.conf
ln -s /dev/null /etc/sysctl.d/99-tailscale.conf
@mcury1985
Copy link

Good, thanks for informing.
I have a DMZ, /30, just for the nanoKVM. This network doesn't have IPv6 enabled and it is blocked to reach any other VLAN in my network, only Internet access is allowed (for tailscale).

@kedama222 kedama222 mentioned this issue Dec 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants