Bug 1354708 (CVE-2016-5696)

Summary: CVE-2016-5696 kernel: challenge ACK counter information disclosure.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, alick9188, apmukher, aquini, arm-mgr, bhaubeck, bhu, carnil, dhoward, dshaw, e02862, editucci, edward.lara.lara, esammons, fadamo, fhrbata, gansalmon, gfigueir, hmatsumo, iboverma, itamar, jaeshin, jeyu, jforbes, jkacur, jkalliya, joelsmith, jonathan, jpoimboe, jross, jrusnack, jswensso, juhu, jwboyer, kees.dejong+dev, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mdshaikh, menthos, mguzik, mjc, nmurray, pdwyer, plougher, pmatouse, primeroznl, qguo, rik.theys, rmanes, rt-maint, rvrbovsk, sardella, security-response-team, slawomir, slong, stephenbryant, tfrazier, upendra.gandhi, vgoyal, williams, wlehman, wmealing, ykawada, yosnoop
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.7.1, kernel 4.6.7, kernel 4.4.18, kernel 3.14.76 Doc Type: If docs needed, set a value
Doc Text:
It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-14 17:13:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1355603, 1355605, 1355606, 1355607, 1355615, 1355616, 1355618, 1355619, 1355620, 1356599, 1356600, 1356601, 1356602, 1356603, 1356604, 1356712    
Bug Blocks: 1354704    

Description Wade Mealing 2016-07-12 01:50:40 UTC
A flaw was found in the implementation of the Linux kernels handling of
networking challenge ack where an attacker is able to determine the
shared counter.

This may allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack.

OSS-Security post:
http://seclists.org/oss-sec/2016/q3/44

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758

Comment 5 Wade Mealing 2016-07-12 05:48:19 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1355615]

Comment 6 Wade Mealing 2016-07-12 05:53:42 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4 and 5.

Comment 7 Wade Mealing 2016-07-12 05:56:02 UTC
Acknowledgements: 

Name: Yue Cao (Cyber Security Group of the CS department of University of California in Riverside)

Comment 11 Josh Poimboeuf 2016-07-13 13:52:56 UTC
Here's v2 of the patch (which is the version which was merged into the network tree):

  https://www.mail-archive.com/netdev@vger.kernel.org/msg118824.html

Comment 17 Fedora Update System 2016-07-19 22:20:14 UTC
kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-07-20 00:21:47 UTC
kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Ján Rusnačko 2016-08-11 08:09:32 UTC
External References:

http://lwn.net/Articles/696868/

Comment 24 Steve Bryant 2016-08-12 20:11:32 UTC
In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it has:

> * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301
> - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615)

Can you confirm whether "CVE-2016-5969" is in fact a typo for "CVE-2016-5696"?

Thanks!

Comment 32 Petr Matousek 2016-08-18 13:29:34 UTC
(In reply to Steve Bryant from comment #24)
> In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it
> has:
> 
> > * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301
> > - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615)
> 
> Can you confirm whether "CVE-2016-5969" is in fact a typo for
> "CVE-2016-5696"?

Indeed, it is a typo.

Comment 33 errata-xmlrpc 2016-08-18 18:23:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1632 https://rhn.redhat.com/errata/RHSA-2016-1632.html

Comment 34 errata-xmlrpc 2016-08-18 18:23:45 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1631 https://rhn.redhat.com/errata/RHSA-2016-1631.html

Comment 35 errata-xmlrpc 2016-08-18 20:07:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1633 https://rhn.redhat.com/errata/RHSA-2016-1633.html

Comment 38 errata-xmlrpc 2016-08-23 16:13:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html

Comment 39 Francesco Ciocchetti 2016-08-23 16:38:33 UTC
Hi,

Is there an ETA , or a plan at all, to backport the fixes to EL6 ? 



Thanks

Comment 40 errata-xmlrpc 2016-08-23 18:37:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1664 https://rhn.redhat.com/errata/RHSA-2016-1664.html

Comment 41 gomm 2016-08-29 06:26:50 UTC
When I take an interim action, how much should be the number of challenge ack?

Comment 46 errata-xmlrpc 2016-09-06 10:03:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html

Comment 47 errata-xmlrpc 2016-09-06 10:19:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1815 https://rhn.redhat.com/errata/RHSA-2016-1815.html

Comment 49 errata-xmlrpc 2016-09-27 14:20:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:1939 https://rhn.redhat.com/errata/RHSA-2016-1939.html