[xubuntu-users] FYI Security patch linux
Dan Ballance
tzewang.dorje at gmail.com
Wed Aug 10 16:07:11 UTC 2016
It sounds fairly serious (I just had a quick read through). Like yourself I
am not a security professional though. Unless someone on this list has
something they can add (which would be great), then I guess we just have to
watch the story develop. Hopefully we'll be able to pick up the kernel fix
fairly quickly in 16.04.
On Wed, Aug 10, 2016 at 3:00 PM fred roller <fredroller66 at gmail.com> wrote:
> Picked this up on the Fedora list. Just passing along as it pertains to
> all of Linux. I have not implemented this patch as of yet on my Xubuntu
> system until I fully read the paper, some 17 pages. Being a security issue
> thought it best to at least put the info out. Discussion is more than
> welcome as there seems to be some concern with increasing the ACK time.
> This is not my area a specialty. Hope it helps...
>
> \begin quote
> Hi,
>
> There is a severe security hole in TCP on the linux system. Here are
> some extracts from an abstract of the paper about the weakness.
>
> "Instead, they identified a subtle flaw (in the form of 'side
> channels') in the Linux software that enables attackers to infer the
> TCP sequence numbers associated with a particular connection with no
> more information than the IP address of the communicating parties. "
>
> This means that given any two arbitrary machines on the internet, a
> remote blind attacker without being able to eavesdrop on the
> communication, can track users' online activity, terminate connections
> with others and inject false material into their communications.
> Encrypted connections (e.g., HTTPS) are immune to data injection, but
> they are still subject to being forcefully terminated by the attacker.
> The weakness would allow attackers to degrade the privacy of anonymity
> networks, such as Tor, by forcing the connections to route through
> certain relays. The attack is fast and reliable, often taking less than
> a minute and showing a success rate of about 90 percent. The
> researchers created a short video showing how the attacks works.
>
> https://www.youtube.com/watch?v=S4Ns5wla9DY
>
> "The unique aspect of the attack we demonstrated is the very low
> requirement to be able to carry it out. Essentially, it can be done
> easily by anyone in the world where an attack machine is in a network
> that allows IP spoofing. The only piece of information that is needed
> is the pair of IP addresses (for victim client and server), which is
> fairly easy to obtain," Qian said.
>
> Qian said the researchers have alerted Linux about the vulnerability,
> which has resulted in patches applied to the latest Linux version.
> Until then, Qian recommends the following temporary patch that can be
> applied to both client and server hosts. It simply raises the
> `challenge ACK limit' to an extremely large value to make it
> practically impossible to exploit the side channel. This can be done on
> Ubuntu, for instance, as follows:
>
> 1. Open /etc/sysctl.conf, append a command
> "/net.ipv4/tcp_challenge_ack_limit = 999999999".
>
> 2. Use "sysctl -p" to update the configuration.
>
> The full paper is available here as a pdf.
> http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
>
> How soon will we see a kernel in Fedora that has this fixed? Or is it
> already fixed?
>
> Thanks.
> \end quote
>
> Again, hope this helps. Further insight is welcome.
>
> -- Fred
> --
> xubuntu-users mailing list
> xubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/xubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/xubuntu-users/attachments/20160810/1db0f7b1/attachment.html>
More information about the xubuntu-users
mailing list