From RedHat's post to oss-sec: >Gday, >Red Hat Product Security has been made aware of an important issue in >the Linux kernel's implementation of challenge ACKS as specified in >RFC 5961. An attacker which knows a connections client IP, server IP >and server port can abuse the challenge ACK mechanism >to determine the accuracy of a normally 'blind' attack on the client or server. >Successful exploitation of this flaw could allow a remote attacker to >inject or control a TCP stream contents in a connection between a >Linux device and its connected client/server. >* This does NOT mean that cryptographic information is exposed. >* This is not a Man in the Middle (MITM) attack. >This was reported to Red Hat by Yue Cao, part of the Cyber Security >Group in the University of California >Thanks, >Wade Mealing >Red Hat Product Security Team Workaround: Set net.ipv4.tcp_challenge_ack_limit = 999999999 Patch: Added as part of 4.7 with https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758
Is there progress on this issue? I see that sys-kernel/gentoo-sources-4.7.{2,3} are still ~ARCH masked.
(In reply to Daniel "Fremen" Llewellyn from comment #1) > Is there progress on this issue? I see that > sys-kernel/gentoo-sources-4.7.{2,3} are still ~ARCH masked. 4.7 branch is not a long term stable, so likely should not get stabilized in any case. Can you identify in which LTS branch versions similar fixes have been applied?
HI, Just spent a while tracking down the relevant details from kernel commit logs. It looks like the fix landed upstream in 4.4.18 for the LTS branch. They're currently sat at 4.4.21 released yesterday. The changelog for 4.4.18 is at [1]. The Commit which purportedly fixes the issue is at [2]. There is a related patch at [3] which may not be necessary to mitigate this issue, but it landed in 4.4.18 at the same time as the previous patch... [1] https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18 [2] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758 [3] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=083ae308280d13d187512b9babe3454342a7987e
for the 4.1 branch which is the latest we currently have stabilisied from what I can gather, the relevant commits made it into 4.1.32 (ref: [1]). [1] https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.32
(In reply to Daniel "Fremen" Llewellyn from comment #4) > for the 4.1 branch which is the latest we currently have stabilisied from Thanks. For kernel LTS the latest stable itself isn't necessarily the most relevant, but need to look into the latest stable version for each LTS. In addition to 4.1 that would include 3.18.25-r1 as the latest stable in that branch atm. Just as a disclaimer, security team does not regularly track security bugs in the kernel, but it is nice to have it documented for transparency.
Hi, I went through kernel changelogs for 3.18 branch. The fixing commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 is merged in version 3.18.41. The other commit 083ae308280d13d187512b9babe3454342a7987e doesn't seem to be backported at all to 3.18 branch. Snippet from relevant changelog [1]: commit 0efba8d124de904db7766645561a6f39c501f2c1 Author: Eric Dumazet <edumazet@google.com> Date: Sun Jul 10 10:04:02 2016 +0200 tcp: make challenge acks less predictable [ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] ... [1] https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.18.41
Fix in 4.7