ZeroTierOne
ZeroTierOne copied to clipboard
zerotier
Please compile binaries with all hardening options
Is your feature request related to a problem? Please describe.
I checked if the zerotier-one binary is compiled with hardening options on a Debian system and found the following:
$ hardening-check /usr/sbin/zerotier-one
/usr/sbin/zerotier-one:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: unknown, no -fcf-protection instructions found!
Describe the solution you'd like
Please add the following compiler options: -fstack-clash-protection -fcf-protection
For the -D_FORTIFY_SOURCE=2 option I'm not sure because zerotier-one is written in C++, but it would not harm.
Describe alternatives you've considered
Compiling zerotier-one oneself with hardening options is possible, but
- few people will do it
- it is more difficult to update the software
- when reporting bugs it is better to rely on the same binaries as the developer
Additional context
zerotier-one listens on many UDP and TCP ports so an additional layer of protection would be very welcomed.
# netstat -lpn | grep zerotier
tcp 0 0 192.168.141.13:39684 0.0.0.0:* LISTEN 3288239/zerotier-on
tcp 0 0 192.168.141.13:39685 0.0.0.0:* LISTEN 3288239/zerotier-on
tcp 0 0 192.168.141.13:9993 0.0.0.0:* LISTEN 3288239/zerotier-on
tcp 0 0 127.0.0.1:9993 0.0.0.0:* LISTEN 3288239/zerotier-on
tcp6 0 0 ::1:9993 :::* LISTEN 3288239/zerotier-on
udp 0 0 192.168.141.13:39684 0.0.0.0:* 3288239/zerotier-on
udp 0 0 192.168.141.13:39685 0.0.0.0:* 3288239/zerotier-on
udp 0 0 192.168.141.13:9993 0.0.0.0:* 3288239/zerotier-on
Version 1.6.0 of zerotier regressed:
$ hardening-check /usr/sbin/zerotier-one
/usr/sbin/zerotier-one:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Version 1.6.1 is back where version 1.4.x was:
$ hardening-check /usr/sbin/zerotier-one
/usr/sbin/zerotier-one:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Checking in here after detecting this on a test implementation of this application. Is there a known reason why these hardening options aren't at least enabled for common Linux builds?
Here is for version 1.8.4:
$ hardening-check /usr/sbin/zerotier-one
/usr/sbin/zerotier-one:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
So better, but still improvable...
The situation improved a lot with the latest package version for Ubuntu 22.04/jammy:
$ hardening-check /usr/sbin/zerotier-one
/usr/sbin/zerotier-one:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: yes
Control flow integrity: no, not found!
Thanks for that!
Now only the CFI compilation option is missing.
Hello!
Thanks for pointing this out. Where might we find the hardening-check (script?) that you're running so we can add it to our tests?
-s
