[SECURITY] NanoKVM is a router

[ValdikSS]

NanoKVM v1.3.0 image (20241120_NanoKVM_Rev1_3_0.img.xz) comes with IPv4 and IPv6 routing enabled, with firewall accepting all routed connections unconditionally.

When IP forwarding is enabled, the device can potentially forward packets between different networks, which might expose internal network to unauthorized access or attacks.
https://www.tenable.com/plugins/nessus/50686

NanoKVM is not a router, hence this function should be disabled.

# sysctl -a 2>/dev/null | grep -E 'ip_forward|eth0.*forwarding'
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.eth0.forwarding = 1

# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# ip6tables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Forwarding is enabled by /etc/sysctl.d/99-tailscale.conf, which I assume is not necessary for the client configuration.

# cat /etc/sysctl.d/99-tailscale.conf 
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Workaround:

rm /etc/sysctl.d/99-tailscale.conf
ln -s /dev/null /etc/sysctl.d/99-tailscale.conf

[mcury1985]

Good, thanks for informing.
I have a DMZ, /30, just for the nanoKVM. This network doesn't have IPv6 enabled and it is blocked to reach any other VLAN in my network, only Internet access is allowed (for tailscale).

[AJolly]

This should be configurable. I like having nanokvm setup as a tailscale router

[wj-xiao]

The /etc/sysctl.d/99-tailscale.conf is created by the Tailscale startup script /etc/init.d/S98tailscaled.

In the next version, Tailscale will not start automatically at boot. IP forwarding will only be enabled when Tailscale is started manually and disabled when stopped.

[Gunni]

@wj-xiao note that doing so means enabling tailscale will disable IPv6 unless #297 is also fixed.

[markuman]

In the meantime, empty the file and make it immutable
https://github.com/markuman/nanokvm-mitigations/blob/latest/cleanup.yml#L41-L48

[Sfinx]

This stopped me from buying this china spy shit - https://youtu.be/plJGZQ35Q6I?t=1386

[wj-xiao]

You can Flash the Image v.1.4.0 , Tailscale is disabled by default. The router is also disabled by default, and the /etc/sysctl.d/99-tailscale.conf is created only when Tailscale starts.

Alternatively, update the Application to 2.2.0 , and disable Tailscale in the web settings. This deletes the /etc/sysctl.d/99-tailscale.conf and prevents Tailscale from starting on boot.