It sounds fairly serious (I just had a quick read through). Like yourself I am not a security professional though. Unless someone on this list has something they can add (which would be great), then I guess we just have to watch the story develop. Hopefully we'll be able to pick up the kernel fix fairly quickly in 16.04.
On Wed, Aug 10, 2016 at 3:00 PM fred roller <[email protected]> wrote: > Picked this up on the Fedora list. Just passing along as it pertains to > all of Linux. I have not implemented this patch as of yet on my Xubuntu > system until I fully read the paper, some 17 pages. Being a security issue > thought it best to at least put the info out. Discussion is more than > welcome as there seems to be some concern with increasing the ACK time. > This is not my area a specialty. Hope it helps... > > \begin quote > Hi, > > There is a severe security hole in TCP on the linux system. Here are > some extracts from an abstract of the paper about the weakness. > > "Instead, they identified a subtle flaw (in the form of 'side > channels') in the Linux software that enables attackers to infer the > TCP sequence numbers associated with a particular connection with no > more information than the IP address of the communicating parties. " > > This means that given any two arbitrary machines on the internet, a > remote blind attacker without being able to eavesdrop on the > communication, can track users' online activity, terminate connections > with others and inject false material into their communications. > Encrypted connections (e.g., HTTPS) are immune to data injection, but > they are still subject to being forcefully terminated by the attacker. > The weakness would allow attackers to degrade the privacy of anonymity > networks, such as Tor, by forcing the connections to route through > certain relays. The attack is fast and reliable, often taking less than > a minute and showing a success rate of about 90 percent. The > researchers created a short video showing how the attacks works. > > https://www.youtube.com/watch?v=S4Ns5wla9DY > > "The unique aspect of the attack we demonstrated is the very low > requirement to be able to carry it out. Essentially, it can be done > easily by anyone in the world where an attack machine is in a network > that allows IP spoofing. The only piece of information that is needed > is the pair of IP addresses (for victim client and server), which is > fairly easy to obtain," Qian said. > > Qian said the researchers have alerted Linux about the vulnerability, > which has resulted in patches applied to the latest Linux version. > Until then, Qian recommends the following temporary patch that can be > applied to both client and server hosts. It simply raises the > `challenge ACK limit' to an extremely large value to make it > practically impossible to exploit the side channel. This can be done on > Ubuntu, for instance, as follows: > > 1. Open /etc/sysctl.conf, append a command > "/net.ipv4/tcp_challenge_ack_limit = 999999999". > > 2. Use "sysctl -p" to update the configuration. > > The full paper is available here as a pdf. > http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf > > How soon will we see a kernel in Fedora that has this fixed? Or is it > already fixed? > > Thanks. > \end quote > > Again, hope this helps. Further insight is welcome. > > -- Fred > -- > xubuntu-users mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/xubuntu-users >
-- xubuntu-users mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xubuntu-users
