Security Fixes & Conntrack Hardening in SPR
Anvil Secure recently published a post and whitepaper covering conntrack flaws that are common with many linux routers and linux "multihomed" devices. In this post we'll cover SPR, how our process mitigated the highest risk vulnerabilities, how we fixed the rest and other improvements we're making to be resilient against attacks like this in the future.
Overview
Conntrack is part of Linux Netfilter and is an integral part of a stateful firewall for allowing Network Address Translation on a network. A router uses it to allow clients to establish connections through the uplink interfaces.
Anvil Secure published details on how devices often fail to lock down their firewalls correctly since Conntrack operates at layer 3. External attackers that are one hop away can abuse this to spoof IP addresses and send traffic to internal interfaces on devices and routers for an established connection managed with conntrack. For most of our users, this limits the attack to compromised or hostile ISP providers, which is an uncommon (but not unheard of attack vector). However, since the WiFi Pod can be used as a travel router, it's important to us that they are can withstand being attached to a hostile network.
The riskiest of the attacks happen to not affect SPR.