Bug 1354708 (CVE-2016-5696)
| Summary: | CVE-2016-5696 kernel: challenge ACK counter information disclosure. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Wade Mealing <wmealing> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | agordeev, alick9188, apmukher, aquini, arm-mgr, bhaubeck, bhu, carnil, dhoward, dshaw, e02862, editucci, edward.lara.lara, esammons, fadamo, fhrbata, gansalmon, gfigueir, hmatsumo, iboverma, itamar, jaeshin, jeyu, jforbes, jkacur, jkalliya, joelsmith, jonathan, jpoimboe, jross, jrusnack, jswensso, juhu, jwboyer, keesdejong+dev, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mdshaikh, menthos, mguzik, mjc, nmurray, pdwyer, plougher, pmatouse, primeroznl, qguo, rik.theys, rmanes, rt-maint, rvrbovsk, sardella, security-response-team, slawomir, slong, stephenbryant, tfrazier, upendra.gandhi, vgoyal, williams, wlehman, wmealing, ykawada, yosnoop |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 4.7.1, kernel 4.6.7, kernel 4.4.18, kernel 3.14.76 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-14 17:13:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1355603, 1355605, 1355606, 1355607, 1355615, 1355616, 1355618, 1355619, 1355620, 1356599, 1356600, 1356601, 1356602, 1356603, 1356604, 1356712 | ||
| Bug Blocks: | 1354704 | ||
|
Description
Wade Mealing
2016-07-12 01:50:40 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1355615] Statement: This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4 and 5. Acknowledgements: Name: Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) Here's v2 of the patch (which is the version which was merged into the network tree): https://www.mail-archive.com/netdev@vger.kernel.org/msg118824.html kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. External References: http://lwn.net/Articles/696868/ In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it has:
> * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301
> - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615)
Can you confirm whether "CVE-2016-5969" is in fact a typo for "CVE-2016-5696"?
Thanks!
(In reply to Steve Bryant from comment #24) > In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it > has: > > > * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301 > > - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615) > > Can you confirm whether "CVE-2016-5969" is in fact a typo for > "CVE-2016-5696"? Indeed, it is a typo. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1632 https://rhn.redhat.com/errata/RHSA-2016-1632.html This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2016:1631 https://rhn.redhat.com/errata/RHSA-2016-1631.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1633 https://rhn.redhat.com/errata/RHSA-2016-1633.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html Hi, Is there an ETA , or a plan at all, to backport the fixes to EL6 ? Thanks This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1664 https://rhn.redhat.com/errata/RHSA-2016-1664.html When I take an interim action, how much should be the number of challenge ack? This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:1815 https://rhn.redhat.com/errata/RHSA-2016-1815.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Extended Update Support Via RHSA-2016:1939 https://rhn.redhat.com/errata/RHSA-2016-1939.html |