On Mon, Jul 20, 2015 at 10:37 AM, Nikos Chantziaras <rea...@gmail.com> wrote: > On 18/07/2015 08:43 μμ, Andrew Savchenko wrote: >> >> Yes and no. If user enabled network interface and has no network >> daemons running, kernel still listens to that interface (ARP, icmp >> and so on) and may be hacked using vulnerabilities in network >> stack, protocol handlers or even network device drivers. > > Which is not a realistic scenario. We can assume that for all intents and > purposes, the OP is safe. >
It is a completely realistic scenario and has in fact happened in the past (ping of death and so on). That said, all you can do to protect against it is update your kernel when a vulnerability is discovered, unless you want to go funding your own kernel audit. This scenario applies to virtually any router in existence to some degree - at least with a linux router you build yourself you know for sure what is running on it and it is easy to update if a vulnerability does get discovered. Just run a supported kernel and you should be fine. You'll probably want a longterm kernel on something like a router. So, it isn't a reason to panic, but you could conceivably have a linux router whose only userspace process is an init that sets up iptables/iproute/etc and then just does an idle loop, and it could still have a vulnerability. The kernel is software like anything else, and it can contain bugs. That shouldn't make you afraid to use linux, but as with any networked device you should understand security and ensure that if there is a problem you'll find out about it and be able to fix it. That is true of linux, any embedded OS, or of almost any device that contains RAM. -- Rich
