Page 1 of 2

New TCP/IP exploit - affecting Linx kernel

Posted: Thu Aug 11, 2016 3:56 am
by Lucap
http://www.theregister.co.uk/2016/08/10 ... nications/
The TCP/IP networking blunder, present in the open-source kernel since version 3.6, can be exploited by miscreants to confirm whether any two systems are talking to each other over a network. Furthermore, it can be abused to break their connections or insert malicious code and data into their communications if the exchange is not properly encrypted. In other words, you can hijack HTTP with this.
Doesn't sound good.

Re: Linux security backfires: Flaw lets hackers inject malware into downloads

Posted: Thu Aug 11, 2016 4:38 am
by Pjotr
It looks like it's being tackled: https://people.canonical.com/~ubuntu-se ... -5696.html

Don't worry too much. Security vulnerabilities are a common occurrence, on every operating system. That's OK, as long as they're being fixed quickly. That's why we sometimes get security updates on a daily basis... :wink:

Re: New TCP/IP exploit

Posted: Fri Aug 12, 2016 1:35 am
by Lucap
Any idea what DNE & ignored is all about?

Re: New TCP/IP exploit

Posted: Fri Aug 12, 2016 5:06 am
by Pjotr
Lucap wrote:Any idea what DNE & ignored is all about?
"ignored" is apparently a label that they've put on kernel packages that have reached end-of-life anyway, or aren't relevant, or have been abandoned. So those won't be fixed.

DNE: I don't know... Maybe an abbreviation of "Doesn't need (it)" or something?

There's an update in the "Notes" section of that Canonical page, by the way:
sbeattie> fix is going to land in Ubuntu kernels in this SRU cycle,
with a likely release date of Aug 27. Earlier access to the kernels
with the fix will be available from the -proposed pocket, though they
come with the risk of being less tested.

Re: New TCP/IP exploit

Posted: Fri Aug 12, 2016 5:47 am
by MajorMuff
Issue was already fixed in the 4.7 kernel.

Latest Kernel cover this security flaw?

Posted: Fri Aug 12, 2016 7:49 am
by felemur
http://www.theregister.co.uk/2016/08/10 ... nications/

But the update manager does not have a 4.7 option....So does Kernel update 4.4.0-34 cover this?

Re: Latest Kernel cover this security flaw?

Posted: Fri Aug 12, 2016 9:53 am
by Pjotr
felemur wrote:does Kernel update 4.4.0-34 cover this?
No, the update for the 4.4 series should arrive for Ubuntu on August, 27 (according to the notes on the Canonical page). It'll probably be available for Mint shortly after that.

Don't be overly worried; it's not that there's suddenly a huge *practical* risk for desktop users, in real life... :mrgreen:

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Fri Aug 12, 2016 10:23 am
by chrisuk
If you've any concerns, just follow the advice in the link in the OP:
As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

And then use sysctl -p to activate the new rule. You need to be root to do this.
You can just delete the line from sysctl.conf when a fix is released

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Fri Aug 12, 2016 1:29 pm
by Fred Barclay
The "good" news (relatively) is that it appears that https connections aren't as vulnerable... they can be "broken" but not unencrypted.
Or so they say...

Kernel vulnerability

Posted: Fri Aug 12, 2016 5:02 pm
by Mintster
There is a kernel vulnerability related to TCP right now. I am using kernel 3.19.0-32-generic and have 17.3 Cinnamon installed. I have no proprietary drivers in use. This is the only setup I have found where my computer runs perfectly. If I upgrade the kernel to 4.4 my screen tears and I have to use proprietary drivers and them my system starts freezing up periodically. I tried Ubuntu Mate 16.04 and Linux Mint 18 with the computer constantly freezing. So this setup works perfectly but I don't know if my kernel is patched and safe. I have the Intel 6700K cpu. Graphics card is "Intel Corporation Sky lake Integrated Graphics." How do I avoid upgrading the kernel or find out if my kernel is safe? thanx

Re: Kernel vulnerability

Posted: Fri Aug 12, 2016 5:12 pm
by deepakdeshp
Hello,
This is the database for vulnerability

https://www.cvedetails.com/vulnerabilit ... ernel.html

Re: Kernel vulnerability

Posted: Fri Aug 12, 2016 5:37 pm
by Mintster
https://blogs.akamai.com/2016/08/vulner ... ation.html


Vulnerability in the Linux kernel's tcp stack implementation
Akamai InfoSec
By Akamai InfoSec August 10, 2016 6:50 PM
0 Comments

Akamai is aware of a vulnerability, announced at the USENIX Security conference on Aug 10, 2016, which describes a vulnerability in the Linux kernel's tcp stack implementation (kernel versions 3.6 to 4.6). At a high-level, a patient adversary can leverage rate-limited challenge ACK's on a non-secure tcp connection to conduct a hijacking attack.

The Issue

The 3.6 Linux kernel introduced a global challenge ACK counter limit in order to improve tcp's robustness to blind in-window attacks as specified in RFC 5961. However, an attacker can use this global challenge ACK counter to infer the sequence and ack number of an off-path tcp connection. In a typical client/server tcp connection, an attacker can establish connections with the server. Thus, the attacker can establish a number of connections with the server, and send sufficient out-of-window traffic, in order to use up the the entire global challenge ack limit. In this case, the attacker can expect to receive the number of challenge acks that is equal to the challenge ACK counter limit in response. The attacker can then infer information about the sequence number and ack number of the connection by realizing if it has received fewer challenge ACKs in response than the global challenge ACK counter limit.

Re: Kernel vulnerability

Posted: Fri Aug 12, 2016 8:07 pm
by jimallyn
I read the other day that Red Hat has a patch for this. I suspect all the other distros will have it shortly.

Linux vulnerability leaves top sites wide open to attackers

Posted: Fri Aug 12, 2016 9:37 pm
by Destry
RT | Aug 11, 2016
http://on.rt.com/7mcm

[snip]

A flaw in the Linux operating system lets hackers inject malware into downloads and expose the identities of people using anonymizing software such as Tor – even for those who aren’t using Linux directly.

In a Wednesday presentation at the USENIX Security Symposium in Austin, Texas, researchers with the University of California, Riverside showed that the flaw lies in the Transmission Control Protocol (TCP) used by Linux since late 2012.

The networking blunder is present in the Linux kernel, the core of its operating system, and can be exploited by malicious actors to determine whether two systems are communicating with each other, and even inject malicious data into or break their connection.

At the symposium, the researchers demonstrated the exploit by injecting code into a live USA Today page that asks visitors to enter their emails and passwords, which was possible because pages on USA Today aren’t encrypted.

Perhaps most importantly, the intercepting of data doesn’t require a man-in-the-middle attack, where a connection will covertly intercept, collect and pass forward information between two parties. Instead, attackers can just send packets of data to the two targets with spoofed credentials.

Pure Off-path TCP attack demo by using a side channel in Recent Linux Kernel
Sec UCR
Aug 5, 2016
https://www.youtube.com/watch?v=S4Ns5wla9DY

Full Report: http://on.rt.com/7mcm

Re: Kernel vulnerability

Posted: Fri Aug 12, 2016 10:27 pm
by rpark107
...Read a post on The Register site for the work around below:

As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

And then use sysctl -p to activate the new rule. You need to be root to do this.

Re: Linux vulnerability leaves top sites wide open to attackers

Posted: Fri Aug 12, 2016 11:09 pm
by all41

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Thu Aug 18, 2016 12:28 am
by uberdorf
It looks like the vulnerability got fixed in the kernel update 4.4.0-34.53 for Ubuntu 16.04/LM 18 as of 10 Aug.
http://news.softpedia.com/news/canonica ... 7184.shtml
http://www.ubuntu.com/usn/usn-3055-1/

If so, we should all do the kernel update ASAP.

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Thu Aug 18, 2016 2:35 am
by ostracized
uberdorf wrote:It looks like the vulnerability got fixed in the kernel update 4.4.0-34.53 for Ubuntu 16.04/LM 18 as of 10 Aug.
No. What you're looking for is CVE-2016-5696 which has been patched but has yet to be released in a kernel update from Canonical. Mods, can you please merge this thread with viewtopic.php?f=58&t=226928 to keep the discussion in 1 place?

To make related matters worse, 1.4 billion Android users are also at risk connecting to unencrypted sites. And you also have the additional problem of OEM's who can't be bothered to update an Android phone that's ~2 years old, so you end up have a lot of devices that are vulnerable to multiple pathways of attack. Kinda makes users of "dumb" phones appear to be the "smart" ones.

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Thu Aug 18, 2016 7:09 am
by Lucap
ostracized wrote: Mods, can you please merge this thread with viewtopic.php?f=58&t=226928 to keep the discussion in 1 place?
Unless there is some confusion amongst the News sites reporting the other thread is about a webpage script exploit against both Windows and Linux users.

This thread is about a similar TCP exploit but specifically against the Linux kernel???

Re: New TCP/IP exploit - affecting Linx kernel

Posted: Fri Aug 19, 2016 2:38 am
by ostracized
This CVE was (very briefly) mentioned in the latest Ubuntu podcast @29:05 as well yesterday. No further discussion than what we already know, other than "I'd expect this patch to go out in a couple weeks."