Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 591624 (CVE-2016-5696) - sys-kernel/gentoo-sources: TCP/IP Injection vulnerability
Summary: sys-kernel/gentoo-sources: TCP/IP Injection vulnerability
Status: CONFIRMED
Alias: CVE-2016-5696
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal with 3 votes (vote)
Assignee: Gentoo Kernel Security
URL: http://seclists.org/oss-sec/2016/q3/44
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-18 16:46 UTC by Brian Evans
Modified: 2016-12-07 04:34 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans Gentoo Infrastructure gentoo-dev 2016-08-18 16:46:09 UTC
From RedHat's post to oss-sec:

>Gday,

>Red Hat Product Security has been made aware of an important issue in
>the Linux kernel's implementation of challenge ACKS as specified in
>RFC 5961. An attacker which knows a connections client IP, server IP
>and server port can abuse the challenge ACK mechanism
>to determine the accuracy of a normally 'blind' attack on the client or server.

>Successful exploitation of this flaw could allow a remote attacker to
>inject or control a TCP stream contents in a connection between a
>Linux device and its connected client/server.

>* This does NOT mean that cryptographic information is exposed.
>* This is not a Man in the Middle (MITM) attack.

>This was reported to Red Hat by Yue Cao, part of the Cyber Security
>Group in the University of California

>Thanks,

>Wade Mealing
>Red Hat Product Security Team

Workaround:

Set net.ipv4.tcp_challenge_ack_limit = 999999999

Patch:
Added as part of 4.7 with https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758
Comment 1 Daniel "Fremen" Llewellyn 2016-09-14 12:44:26 UTC
Is there progress on this issue? I see that sys-kernel/gentoo-sources-4.7.{2,3} are still ~ARCH masked.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-09-16 08:26:05 UTC
(In reply to Daniel "Fremen" Llewellyn from comment #1)
> Is there progress on this issue? I see that
> sys-kernel/gentoo-sources-4.7.{2,3} are still ~ARCH masked.

4.7 branch is not a long term stable, so likely should not get stabilized in any case. Can you identify in which LTS branch versions similar fixes have been applied?
Comment 3 Daniel "Fremen" Llewellyn 2016-09-16 08:51:18 UTC
HI, Just spent a while tracking down the relevant details from kernel commit logs.

It looks like the fix landed upstream in 4.4.18 for the LTS branch. They're currently sat at 4.4.21 released yesterday.

The changelog for 4.4.18 is at [1]. The Commit which purportedly fixes the issue is at [2]. There is a related patch at [3] which may not be necessary to mitigate this issue, but it landed in 4.4.18 at the same time as the previous patch...

[1] https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18
[2] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
[3] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=083ae308280d13d187512b9babe3454342a7987e
Comment 4 Daniel "Fremen" Llewellyn 2016-09-16 11:08:41 UTC
for the 4.1 branch which is the latest we currently have stabilisied from what I can gather, the relevant commits made it into 4.1.32 (ref: [1]).

[1] https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.32
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2016-09-16 11:41:41 UTC
(In reply to Daniel "Fremen" Llewellyn from comment #4)
> for the 4.1 branch which is the latest we currently have stabilisied from


Thanks. For kernel LTS the latest stable itself isn't necessarily the most relevant, but need to look into the latest stable version for each LTS. In addition to 4.1 that would include 3.18.25-r1 as the latest stable in that branch atm. 

Just as a disclaimer, security team does not regularly track security bugs in the kernel, but it is nice to have it documented for transparency.
Comment 6 Niko Böckerman 2016-09-19 18:04:38 UTC
Hi, I went through kernel changelogs for 3.18 branch.

The fixing commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 is merged in version 3.18.41. The other commit 083ae308280d13d187512b9babe3454342a7987e doesn't seem to be backported at all to 3.18 branch.

Snippet from relevant changelog [1]:

commit 0efba8d124de904db7766645561a6f39c501f2c1
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun Jul 10 10:04:02 2016 +0200

    tcp: make challenge acks less predictable
    
    [ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] 
...

[1] https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.18.41