SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Palo Alto PAN-OS Vendors:   Palo Alto Networks
(Palo Alto Networks Issues Fix for Palo Alto PAN-OS) Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases
SecurityTracker Alert ID:  1038543
SecurityTracker URL:  http://securitytracker.com/id/1038543
CVE Reference:   CVE-2016-5696   (Links to External Site)
Date:  May 23 2017
Impact:   Denial of service via network, Disclosure of system information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1, 7.0, 7.1.9 and prior 7.1.x versions
Description:   A vulnerability was reported in the Linux kernel. A remote user can obtain potentially sensitive information about a target TCP connection in certain cases. A remote user can cause denial of service conditions against the target TCP connection or hijack the target TCP connection in certain cases. Palo Alto PAN-OS is affected.

A remote user can conduct a side-channel attack against TCP connections to determine if two arbitrary hosts have established a TCP connection and to potentially hijack the connection in certain cases.

A remote user that can establish a separate TCP connection to the target system can send specially crafted TCP RST and TCP SYN packets to cause the target system to respond with a number of challenge ACK packets that exceed the target system's challenge ACK maximum while at the same time sending spoofed packets with a source address of a second target system to the first target system. If the total maximum number of challenge ACK packets are returned to the remote user from the first target system, then the remote user can infer that a connection does not exist between the two target systems. If fewer than the maximum number of challenge ACK packets are returned to the remote user from the first target system, then the remote user can infer that there is an established TCP connection between the two target systems.

A similar attack method can be used to determine correct TCP sequence numbers for a target TCP connection and then hijack the target connection.

The report indicates that an attack can be completed within 60 seconds or less, on average, and with an 88% to 97% success rate.

The vulnerability resides in the challenge ACK response mechanism and global rate limit mechanism specified in RFC 5961 and as implemented in the Linux kernel.

The original advisory is available at:

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, of Srikanth V. Krishnamurthy of University of California, Riverside, and Lisa M. Marvel of US Army Research Laboratory reported this vulnerability at the 25th USENIX Security Symposium, Austin, Texas.

Impact:   A remote user can determine if two arbitrary hosts have established a TCP connection in certain cases.

A remote user can tear down a target TCP connection in certain cases.

A remote user can hijack a target TCP connection in certain cases.

Solution:   The Palo Alto Networks has issued a fix (7.1.10).

The Palo Alto Networks advisory is available at:

https://securityadvisories.paloaltonetworks.com/Home/Detail/85

Vendor URL:  securityadvisories.paloaltonetworks.com/Home/Detail/85 (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Aug 16 2016 Linux Kernel Lets Remote Users Obtain Potentially Sensitive Information About, Deny Service, and Hijack Target TCP Connections in Certain Cases



 Source Message Contents

Subject:  https://securityadvisories.paloaltonetworks.com/Home/Detail/85

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC