SRV-035 취약한 서비스 활성화
【 상세설명 】
알려진 취약점이 존재하는 서비스를 실행할 경우, 공격자의 침입 경로로 활용될 수 있기 때문에 취약한 서비스나 취약한 버전의 서비스가 실행되고 있는지 점검(tftp, talk, ntalk, finger, 취약한 r 계열 서비스, echo, discard, daytime, chargen, NIS, NIS+ 서비스 등)
【 판단기준 】
- 양호 : 아래의 항목 중 해당 사항이 없는 경우
- 취약 : 아래의 항목 중 해당하는 조건이 있는 경우
1. tftp, talk, ntalk 서비스가 불필요하게 활성화된 경우
2. finger 서비스 활성화
3. rexec, rlogin, rsh 서비스 활성화
4. DoS 공격에 취약한 echo, discard, daytime, chargen 서비스 활성화
5. NIS, NIS+ 서비스 활성화
※ 단, OS 백업 솔루션에서 tftp를 반드시 사용해야 하는 경우 업무와 연관 유무를 고려 후 예외 처리
【 판단방법 】
1. 취약한 서비스(tftp, talk, ntalk, finger, 취약한 r 계열 서비스, echo, discard, daytime, chargen, NIS, NIS+ 서비스 등) 프로세스 구동 확인
※ finger 서비스는 실행 여부로 확인
2. 각 서비스 설정 파일 내 비활성화 설정 확인
■ Linux
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen|ypserv|ypbind|ypxfrd|yppasswdd|ypupdated"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
# cat /etc/xinetd.d/tftp | grep disable
# cat /etc/xinetd.d/talk | grep disable
# cat /etc/xinetd.d/ntalk | grep disable
# cat /etc/xinetd.d/finger | grep disable
# cat /etc/xinetd.d/rexec | grep disable
# cat /etc/xinetd.d/rlogin | grep disable
# cat /etc/xinetd.d/rsh | grep disable
# cat /etc/xinetd.d/echo-dgram | grep disable
# cat /etc/xinetd.d/echo-stream | grep disable
# cat /etc/xinetd.d/discard-dgram | grep disable
# cat /etc/xinetd.d/discard-stream | grep disable
# cat /etc/xinetd.d/daytime-dgram | grep disable
# cat /etc/xinetd.d/daytime-stream | grep disable
# cat /etc/xinetd.d/chargen-dgram | grep disable
# cat /etc/xinetd.d/chargen-stream | grep disable
service tftp
{
...
disable = yes
...
}
또는
# cat /etc/inetd.conf | egrep "tftp|talk|finger|rexec|rlogin|rsh|echo|discard|daytime|chargen"
tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n
talk dgram udp wait root /usr/sbin/talkd talkd
ntalk dgram udp wait root /usr/sbin/talkd talkd
finger stream tcp nowait bin /usr/lbin/fingered fingerd
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp nowait root /usr/sbin/in.rlogin.d in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
daytime stream udp6 nowait root internal
daytime dgram udp6 nowait root internal
echo stream tcp6 nowait root internal
echo dgram udp6 nowait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 nowait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 nowait root internal
■ AIX, HP-UX, SOLARIS 9 이하
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen|ypserv|ypbind|ypxfrd|yppasswdd|ypupdated"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
# cat /etc/inetd.conf | egrep "tftp|talk|finger|rexec|rlogin|rsh|echo|discard|daytime|chargen"
tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n
talk dgram udp wait root /usr/sbin/talkd talkd
ntalk dgram udp wait root /usr/sbin/talkd talkd
finger stream tcp nowait bin /usr/lbin/fingered fingerd
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp nowait root /usr/sbin/in.rlogin.d in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
daytime stream udp6 nowait root internal
daytime dgram udp6 nowait root internal
echo stream tcp6 nowait root internal
echo dgram udp6 nowait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 nowait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 nowait root internal
■ SOLARIS 10, 11
# svcs -a | egrep "tftp|talk|finger|login|rexec|shell|echo|discard|daytime|chargen|nis"
STATE STIME FMRI
online 10:00:00 svc:/network/chargen:dgram
online 10:00:00 svc:/network/chargen:stream
online 10:00:00 svc:/network/daytime:dgram
online 10:00:00 svc:/network/daytime:stream
online 10:00:00 svc:/network/discard:dgram
online 10:00:00 svc:/network/discard:stream
online 10:00:00 svc:/network/echo:dgram
online 10:00:00 svc:/network/echo:stream
online 10:00:00 svc:/network/time:dgram
online 10:00:00 svc:/network/time:stream
online 10:00:00 svc:/network/ftp:default
online 10:00:00 svc:/network/comsat:default
online 10:00:00 svc:/network/finger:default
online 10:00:00 svc:/network/login:eklogin
online 10:00:00 svc:/network/login:klogin
online 10:00:00 svc:/network/login:rlogin
online 10:00:00 svc:/network/nis/domain:default
online 10:00:00 svc:/network/nis/client:default
online 10:00:00 svc:/network/nis/passwd:default
online 10:00:00 svc:/network/nis/server:default
online 10:00:00 svc:/network/nis/update:default
online 10:00:00 svc:/network/nis/xfr:default
online 10:00:00 svc:/network/ntalk:default
online 10:00:00 svc:/network/rexec:default
online 10:00:00 svc:/network/shell:default
online 10:00:00 svc:/network/shell:kshell
online 10:00:00 svc:/network/talk:default
online 10:00:00 svc:/network/tftp:default
# inetadm | egrep "tftp|talk|finger|login|rexec|shell|echo|discard|daytime|chargen"
ENABLED STATE FMRI
disabled disabled svc:/network/chargen:dgram
disabled disabled svc:/network/chargen:stream
disabled disabled svc:/network/daytime:dgram
disabled disabled svc:/network/daytime:stream
disabled disabled svc:/network/discard:dgram
disabled disabled svc:/network/discard:stream
disabled disabled svc:/network/echo:dgram
disabled disabled svc:/network/echo:stream
disabled disabled svc:/network/time:dgram
disabled disabled svc:/network/time:stream
enabled online svc:/network/ftp:default
disabled disabled svc:/network/comsat:default
enabled online svc:/network/finger:default
disabled disabled svc:/network/login:eklogin
disabled disabled svc:/network/login:klogin
enabled online svc:/network/login:rlogin
enabled online svc:/network/ntalk:default
disabled disabled svc:/network/rexec:default
enabled online svc:/network/shell:default
disabled disabled svc:/network/shell:kshell
disabled disabled svc:/network/talk:default
enabled online svc:/network/tftp:default
■ RHEL 6
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen|ypserv|ypbind|ypxfrd|yppasswdd|ypupdated"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
# cat /etc/xinetd.d/tftp | grep disable
# cat /etc/xinetd.d/talk | grep disable
# cat /etc/xinetd.d/ntalk | grep disable
# cat /etc/xinetd.d/rexec | grep disable
# cat /etc/xinetd.d/rlogin | grep disable
# cat /etc/xinetd.d/rsh | grep disable
# cat /etc/xinetd.d/echo-dgram | grep disable
# cat /etc/xinetd.d/echo-stream | grep disable
# cat /etc/xinetd.d/discard-dgram | grep disable
# cat /etc/xinetd.d/discard-stream | grep disable
# cat /etc/xinetd.d/daytime-dgram | grep disable
# cat /etc/xinetd.d/daytime-stream | grep disable
# cat /etc/xinetd.d/chargen-dgram | grep disable
# cat /etc/xinetd.d/chargen-stream | grep disable
service echo
{
...
disable = yes
...
}
■ RHEL 7
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen|ypserv|ypbind|ypxfrd|yppasswdd|ypupdated"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
# systemctl is-enabled tftp.socket
# systemctl is-enabled ntalk.socket
# systemctl is-enabled rexec.socket
# systemctl is-enabled rlogin.socket
# systemctl is-enabled rsh.socket
disabled
# cat /etc/xinetd.d/echo-dgram | grep disable
# cat /etc/xinetd.d/echo-stream | grep disable
# cat /etc/xinetd.d/discard-dgram | grep disable
# cat /etc/xinetd.d/discard-stream | grep disable
# cat /etc/xinetd.d/daytime-dgram | grep disable
# cat /etc/xinetd.d/daytime-stream | grep disable
# cat /etc/xinetd.d/chargen-dgram | grep disable
# cat /etc/xinetd.d/chargen-stream | grep disable
service echo
{
...
disable = yes
...
}
※ RHEL 7 버전에서 talk 패키지(talk-server)는 ntalk 서비스로 동작
■ RHEL 8
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen|ypserv|ypbind|ypxfrd|yppasswdd|ypupdated"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
# systemctl is-enabled tftp.socket
# systemctl is-enabled rexec.socket
# systemctl is-enabled rlogin.socket
# systemctl is-enabled rsh.socket
disabled
# cat /etc/xinetd.d/echo-dgram | grep disable
# cat /etc/xinetd.d/echo-stream | grep disable
# cat /etc/xinetd.d/discard-dgram | grep disable
# cat /etc/xinetd.d/discard-stream | grep disable
# cat /etc/xinetd.d/daytime-dgram | grep disable
# cat /etc/xinetd.d/daytime-stream | grep disable
# cat /etc/xinetd.d/chargen-dgram | grep disable
# cat /etc/xinetd.d/chargen-stream | grep disable
service echo
{
...
disable = yes
...
}
※ RHEL 8 이상 버전부터 talk 패키지(talk-server) 미지원
■ RHEL 9
# ps -ef | egrep "tftp|talk|rexec|rlogin|rsh|echo|discard|daytime|chargen"
# finger
Login Name Tty Idle Login Time Office Office Phone Host
root root pts/0 Aug 1 10:00 (192.168.0.10)
...
※ RHEL 9 이상 버전부터 NIS(Network Information Service) 관련 패키지(nss_nis, yp-tools, ypbind, ypserv) 미지원
# systemctl is-enabled tftp.socket
# systemctl is-enabled rexec.socket
# systemctl is-enabled rlogin.socket
# systemctl is-enabled rsh.socket
disabled
※ RHEL 9 이상 버전부터 xinetd 패키지를 지원하지 않으며 systemd 에서 echo, discard, daytime, chargen 서비스 미지원
【 조치방법 】
1. 취약한 서비스(tftp, talk, ntalk, finger, 취약한 r 계열 서비스, echo, discard, daytime, chargen, NIS, NIS+ 서비스 등) 중지 및 비활성화
2024-01-13 : (조치과정 삭제)
'인프라 진단 > 전자금융기반시설(서버) - Linux' 카테고리의 다른 글
| SRV-037 취약한 FTP 서비스 실행 (0) | 2024.01.01 |
|---|---|
| SRV-034 불필요한 서비스 활성화 (0) | 2024.01.01 |
| SRV-028 원격 터미널 접속 타임아웃 미설정 (0) | 2024.01.01 |