Security Vulnerabilities with Fingerprinting: Linux Considerations
By Tim Radzykewycz
Various tools, such as nmap, can be used to help determine what operating system a particular computer is running, based on the network responses it generates to crafted network probes.
This is called “fingerprinting.”
Fingerprinting is a security concern. It doesn’t make it possible to exploit anything that isn’t already exploitable. However, it significantly trims the search space of potential vulnerabilities that the hacker or pentester would need to try. With successful fingerprinting, it takes less time to compromise a computer.
For a basic operating system such as Wind River Linux, Fedora, Centos, etc., the fact that the OS can be fingerprinted may not be significant. The owner of a given system, or of a given class of systems, can increase general purpose security by standard techniques such as keeping the number of network daemons to the bare minimum, careful configuration, and so on. Those actions reduce the number of vulnerabilities that might be available to be exploited. But if the attacker’s fingerprinting is successful, then the attacker can still quickly discover known vulnerabilities that might remain. Regular system monitoring against penetration attempts helps to identify attacks and provide information about the possible success of those attacks, so that the problem can be remediated. For general computer systems, the industry’s best security practices are appropriate.
If this is not enough, additional security features can be included and enabled, such as using a verified boot mechanism, isolating users from each other with Discretionary Access Control (DAC) and Mandatory Access Control (MAC) and other mechanisms, a secure backup mechanism, security-aware configuration monitoring tools, firewall, an Intrusion Detection System (IDS), and so on.
For Wind River Linux, these features and feature bundles are available from the Security Profile. For Fedora, Centos, and other more mainline distros, you need to use the normal package manager supported for that distro and find the appropriate packages.
Whenever fingerprinting is successful, whether extra security features are enabled or not, an attacker has an easier time finding a known vulnerability. So for some system owners, preventing nmap and other tools from successfully fingerprinting a system is a desirable goal.
But there are degrees of success for fingerprinting. If the attacker identifies that the system is likely running Linux, that does not provide very much information. And it does not reduce the search space for known vulnerabilities by very much.
Even adding a major version number, such as Linux 3 or Linux 4, does not limit the search space very much. And because of network protocol definitions, many protocols must allow ports to be discoverable, or the system won’t behave as required.
So, a list of open ports is unavoidable. These minimum bits of information are not usually a problem, and fingerprinting at this level does not significantly benefit the attacker.
Beyond this minimal identification, fingerprinting does reduce the search space for attackers to find vulnerabilities. However, there are difficulties with this, as well. The primary two difficulties are the cost of implementing and maintaining the changes necessary to avoid fingerprinting, and the fact that any such changes are themselves subject to being fingerprinted. The second is particularly insidious, because the resulting fingerprint would be highly selective and provide the most benefit to the attacker.
As with all security considerations, the cost-benefit trade-off needs to be considered. We’re now in a position to do so.
The benefit of fingerprint obfuscation is not to make the system less vulnerable, but to make the attackers’ job harder by making them attempt attacks in a brute-force fishing expedition.
When attacks are easy and scriptable, this does not provide a large benefit. And any off-the-shelf anti-fingerprint solution would not be suitable for the users who want it most, because the off-the-shelf solution would be subject to being fingerprinted, so such system owners would need to use additional resources to customize it beyond what might be included in anyone’s base product. This reduces the value even further than the minimal baseline benefit of fingerprint obfuscation. Given these benefit limitations, the cost of implementation plus the very high cost of maintenance of what must, inevitably, be a fragile solution, it’s questionable whether it should ever be high on a list of priorities for general purpose computers.