[xubuntu-users] FYI Security patch linux

fred roller fredroller66 at gmail.com
Wed Aug 10 14:00:01 UTC 2016


Picked this up on the Fedora list. Just passing along as it pertains to all
of Linux. I have not implemented this patch as of yet on my Xubuntu system
until I fully read the paper, some 17 pages.  Being a security issue
thought it best to at least put the info out. Discussion is more than
welcome as there seems to be some concern with increasing the ACK time.
This is not my area a specialty. Hope it helps...

\begin quote
Hi,

There is a severe security hole in TCP on the linux system.  Here are
some extracts from an abstract of the paper about the weakness.

"Instead, they identified a subtle flaw (in the form of 'side
channels') in the Linux software that enables attackers to infer the
TCP sequence numbers associated with a particular connection with no
more information than the IP address of the communicating parties. "

This means that given any two arbitrary machines on the internet, a
remote blind attacker without being able to eavesdrop on the
communication, can track users' online activity, terminate connections
with others and inject false material into their communications.
Encrypted connections (e.g., HTTPS) are immune to data injection, but
they are still subject to being forcefully terminated by the attacker.
The weakness would allow attackers to degrade the privacy of anonymity
networks, such as Tor, by forcing the connections to route through
certain relays. The attack is fast and reliable, often taking less than
a minute and showing a success rate of about 90 percent. The
researchers created a short video showing how the attacks works.

https://www.youtube.com/watch?v=S4Ns5wla9DY

"The unique aspect of the attack we demonstrated is the very low
requirement to be able to carry it out. Essentially, it can be done
easily by anyone in the world where an attack machine is in a network
that allows IP spoofing. The only piece of information that is needed
is the pair of IP addresses (for victim client and server), which is
fairly easy to obtain," Qian said.

Qian said the researchers have alerted Linux about the vulnerability,
which has resulted in patches applied to the latest Linux version.
Until then, Qian recommends the following temporary patch that can be
applied to both client and server hosts. It simply raises the
`challenge ACK limit' to an extremely large value to make it
practically impossible to exploit the side channel. This can be done on
Ubuntu, for instance, as follows:

1. Open /etc/sysctl.conf, append a command
"/net.ipv4/tcp_challenge_ack_limit = 999999999".

2. Use "sysctl -p" to update the configuration.

The full paper is available here as a pdf.
http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf

How soon will we see a kernel in Fedora that has this fixed?  Or is it
already fixed?

Thanks.
\end quote

Again, hope this helps.  Further insight is welcome.

-- Fred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/xubuntu-users/attachments/20160810/1f669d05/attachment.html>


More information about the xubuntu-users mailing list