SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
SecurityTracker Alert ID:  1036625
SecurityTracker URL:  http://securitytracker.com/id/1036625
CVE Reference:   CVE-2016-5696   (Links to External Site)
Date:  Aug 16 2016
Impact:   Denial of service via network, Disclosure of system information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.6 and after
Description:   A vulnerability was reported in the Linux kernel. A remote user can obtain potentially sensitive information about a target TCP connection in certain cases. A remote user can cause denial of service conditions against the target TCP connection or hijack the target TCP connection in certain cases.

A remote user can conduct a side-channel attack against TCP connections to determine if two arbitrary hosts have established a TCP connection and to potentially hijack the connection in certain cases.

A remote user that can establish a separate TCP connection to the target system can send specially crafted TCP RST and TCP SYN packets to cause the target system to respond with a number of challenge ACK packets that exceed the target system's challenge ACK maximum while at the same time sending spoofed packets with a source address of a second target system to the first target system. If the total maximum number of challenge ACK packets are returned to the remote user from the first target system, then the remote user can infer that a connection does not exist between the two target systems. If fewer than the maximum number of challenge ACK packets are returned to the remote user from the first target system, then the remote user can infer that there is an established TCP connection between the two target systems.

A similar attack method can be used to determine correct TCP sequence numbers for a target TCP connection and then hijack the target connection.

The report indicates that an attack can be completed within 60 seconds or less, on average, and with an 88% to 97% success rate.

The vulnerability resides in the challenge ACK response mechanism and global rate limit mechanism specified in RFC 5961 and as implemented in the Linux kernel.

The original advisory is available at:

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, of Srikanth V. Krishnamurthy of University of California, Riverside, and Lisa M. Marvel of US Army Research Laboratory reported this vulnerability at the 25th USENIX Security Symposium, Austin, Texas.

Impact:   A remote user can determine if two arbitrary hosts have established a TCP connection in certain cases.

A remote user can tear down a target TCP connection in certain cases.

A remote user can hijack a target TCP connection in certain cases.

Solution:   The vendor has issued a source code fix [in July 2016], available at:

https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2016 (Red Hat Issues Fix) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Aug 19 2016 (Oracle Issues Fix for Oracle Linux) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Oracle has issued a fix for Oracle Linux 7.
Aug 19 2016 (Red Hat Issues Fix) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Aug 23 2016 (Red Hat Issues Fix) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 7.1.
Aug 24 2016 (CentOS Issues Fix) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
CentOS has issued a fix for CentOS 6.
Aug 25 2016 (Oracle Issues Fix for Oracle Linux) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Oracle has issued a fix for Oracle Linux 6.
Aug 30 2016 (Ubuntu Issues Fix) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS.
Sep 15 2016 (Oracle Issues Fix for Oracle Linux) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Oracle has issued a fix for Oracle Linux 7.
May 23 2017 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.
Apr 28 2018 (Juniper Issues Fix for Juniper NSM) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
Juniper has issued a fix for Juniper NSM.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC