[arch-security] [ASA-201608-17] linux-lts: information disclosure

Remi Gacogne rgacogne at archlinux.org
Sun Aug 21 18:45:55 UTC 2016


Arch Linux Security Advisory ASA-201608-17
==========================================

Severity: High
Date    : 2016-08-21
CVE-ID  : CVE-2016-5696
Package : linux-lts
Type    : information disclosure
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package linux-lts before version 4.4.19-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 4.4.19-1.

# pacman -Syu "linux-lts>=4.4.19-1"

The problem has been fixed upstream in version 4.4.19.

Workaround
==========

The challenge ACK rate limiting can be entirely disabled by setting
net.ipv4.tcp_challenge_ack_limit to a very high value. This can be done
by creating a new file in the /etc/sysctl.d/ directory containing the
following line:

net.ipv4.tcp_challenge_ack_limit = 999999999

then issuing the following command so that the new file is taken into
account:

# sysctl --system

Please be aware that this workaround should be removed as soon as a
patched kernel has been installed, as ACK rate limiting is a useful
security feature.

Description
===========

A security issue has been found in the Linux kernel's implementation of
challenge ACKs as specified in RFC 5961. An attacker which knows a
connection's client IP, server IP and server port can abuse the
challenge ACK mechanism to determine the accuracy of a normally 'blind'
attack on the client or server.

Successful exploitation of this flaw could allow a remote attacker to
inject or control a TCP stream contents in a connection between a Linux
device and its connected client/server.

Impact
======

A remote attacker can detect, control and inject content into a TCP stream.

References
==========

http://seclists.org/oss-sec/2016/q3/44
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
https://access.redhat.com/security/cve/CVE-2016-5696

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160821/5f258be2/attachment.asc>


More information about the arch-security mailing list