Bug 1354708 (CVE-2016-5696) - CVE-2016-5696 kernel: challenge ACK counter information disclosure.
Summary: CVE-2016-5696 kernel: challenge ACK counter information disclosure.
Status: CLOSED ERRATA
Alias: CVE-2016-5696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160712,repo...
Keywords: Security
Depends On: 1355603 1355605 1355606 1355607 1355615 1355616 1355618 1355619 1355620 1356599 1356600 1356601 1356602 1356603 1356604 1356712
Blocks: 1354704
TreeView+ depends on / blocked
 
Reported: 2016-07-12 01:50 UTC by Wade Mealing
Modified: 2016-11-08 16:11 UTC (History)
71 users (show)

(edit)
It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.
Clone Of:
(edit)
Last Closed: 2016-10-14 17:13:21 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1631 normal SHIPPED_LIVE Important: realtime-kernel security and bug fix update 2016-08-18 22:22:19 UTC
Red Hat Knowledge Base (Solution) 2543191 None None None 2016-08-23 23:07 UTC
Red Hat Product Errata RHSA-2016:1632 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-08-18 22:22:09 UTC
Red Hat Product Errata RHSA-2016:1633 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-08-19 00:06:50 UTC
Red Hat Product Errata RHSA-2016:1657 normal SHIPPED_LIVE Important: kernel security update 2016-08-23 20:11:31 UTC
Red Hat Product Errata RHSA-2016:1664 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-08-23 22:34:45 UTC
Red Hat Product Errata RHSA-2016:1814 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-09-06 13:59:05 UTC
Red Hat Product Errata RHSA-2016:1815 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-09-06 14:17:59 UTC
Red Hat Product Errata RHSA-2016:1939 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-09-27 18:16:52 UTC

Description Wade Mealing 2016-07-12 01:50:40 UTC
A flaw was found in the implementation of the Linux kernels handling of
networking challenge ack where an attacker is able to determine the
shared counter.

This may allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack.

OSS-Security post:
http://seclists.org/oss-sec/2016/q3/44

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758

Comment 5 Wade Mealing 2016-07-12 05:48:19 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1355615]

Comment 6 Wade Mealing 2016-07-12 05:53:42 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4 and 5.

Comment 7 Wade Mealing 2016-07-12 05:56:02 UTC
Acknowledgements: 

Name: Yue Cao (Cyber Security Group of the CS department of University of California in Riverside)

Comment 11 Josh Poimboeuf 2016-07-13 13:52:56 UTC
Here's v2 of the patch (which is the version which was merged into the network tree):

  https://www.mail-archive.com/netdev@vger.kernel.org/msg118824.html

Comment 17 Fedora Update System 2016-07-19 22:20:14 UTC
kernel-4.6.4-201.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-07-20 00:21:47 UTC
kernel-4.6.4-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Ján Rusnačko 2016-08-11 08:09:32 UTC
External References:

http://lwn.net/Articles/696868/

Comment 24 Steve Bryant 2016-08-12 20:11:32 UTC
In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it has:

> * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301
> - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615)

Can you confirm whether "CVE-2016-5969" is in fact a typo for "CVE-2016-5696"?

Thanks!

Comment 32 Petr Matousek 2016-08-18 13:29:34 UTC
(In reply to Steve Bryant from comment #24)
> In the changelog to kernel-core-4.6.5-301.fc24 (and subsequent kernels) it
> has:
> 
> > * Tue Jul 12 2016 Josh Boyer <xxxxxxxxxxxxxxxxxxxxxxxx> - 4.6.4-301
> > - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615)
> 
> Can you confirm whether "CVE-2016-5969" is in fact a typo for
> "CVE-2016-5696"?

Indeed, it is a typo.

Comment 33 errata-xmlrpc 2016-08-18 18:23:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1632 https://rhn.redhat.com/errata/RHSA-2016-1632.html

Comment 34 errata-xmlrpc 2016-08-18 18:23:45 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1631 https://rhn.redhat.com/errata/RHSA-2016-1631.html

Comment 35 errata-xmlrpc 2016-08-18 20:07:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1633 https://rhn.redhat.com/errata/RHSA-2016-1633.html

Comment 38 errata-xmlrpc 2016-08-23 16:13:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html

Comment 39 Francesco Ciocchetti 2016-08-23 16:38:33 UTC
Hi,

Is there an ETA , or a plan at all, to backport the fixes to EL6 ? 



Thanks

Comment 40 errata-xmlrpc 2016-08-23 18:37:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1664 https://rhn.redhat.com/errata/RHSA-2016-1664.html

Comment 41 gomm 2016-08-29 06:26:50 UTC
When I take an interim action, how much should be the number of challenge ack?

Comment 46 errata-xmlrpc 2016-09-06 10:03:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html

Comment 47 errata-xmlrpc 2016-09-06 10:19:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1815 https://rhn.redhat.com/errata/RHSA-2016-1815.html

Comment 49 errata-xmlrpc 2016-09-27 14:20:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:1939 https://rhn.redhat.com/errata/RHSA-2016-1939.html


Note You need to log in before you can comment on or make changes to this bug.