Dear Linux Developers, We're reaching out to you as part of the disclosure process of our research. In our research, which we will present at IEEE Security & Privacy in May 2024, we found that attackers can not only create TCP-spoofed connections (which was already known), but can also reliably transmit IP-spoofed data over such connections. This has security implications for applications that rely on TCP endpoint IP addresses, such as firewalling or host-based authentication (e.g., SMTP/SPF, of DBs). We basically discovered two TCP spoofing primitives. First, attackers can bruteforce the server-chosen send window by acknowledging data that was never sent (what we call "ghost ACKs"; see Figure 3 in the paper). Second, we show that there are side channels that allow the attacker to leak the otherwise-secret server-chosen initial sequence number (ISN). One of these side channels leverages TCP SYN cookies. We believe that the TCP/IP stack can take countermeasures to prevent such attacks, or at least make them harder. For example, we think that TCP endpoints should ignore ghost ACKs, and have some ideas to randomize the TCP backlog queue to prevent the SYN cookie side channel. At the same time, we have disclosed our findings to the IETF folks and hope that they have helpful feedback for us.
*** Bug 2262763 has been marked as a duplicate of this bug. ***
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2279717]
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2023-52881 is: CHECK Maybe valid. Check manually. with impact MODERATE (that is approximation based on flags REMOTE NETWORK IMPROVEONLY ; these flags parsed automatically based on patche data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4211 https://access.redhat.com/errata/RHSA-2024:4211
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4352 https://access.redhat.com/errata/RHSA-2024:4352
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5281 https://access.redhat.com/errata/RHSA-2024:5281
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6206 https://access.redhat.com/errata/RHSA-2024:6206
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:10773 https://access.redhat.com/errata/RHSA-2024:10773
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:10772 https://access.redhat.com/errata/RHSA-2024:10772