You are not logged in.
- Topics: Active | Unanswered
#1 2016-08-13 10:02:59
- OlaffTheGreat
- Member
- Registered: 2013-06-03
- Posts: 107
[Solved] Serious flaw in RFC5961 - TCP/IP Hijacking risk issue
Hi,
I read yesterday on theregister.co.uk and here a serious flaw was discovered in the RFC5961 implementation for the kernel 4.7,
giving the possibility to an intruder to sneak easy into any linux operated machines.
After some search for Arch Linux related threads about this, I come to ask suggestions about this.
The paper and some other suggest this work around, to add in /etc/sysctl.conf:
net.ipv4.tcp_challenge_ack_limit = 999999999Giving Arch linux uses the folder /etc/sysctl.d instead,
I followed this post this post where Marius suggests this way:
# echo “net.ipv4.tcp_challenge_ack_limit = 999999999” > /etc/sysctl.d/1-tcp-challenge-ack.conf
$ sysctl -pHowever, the last command tells me, obviously:
$ sysctl -p
sysctl: cannot open "/etc/sysctl.conf": No such file or directoryHow do I apply the work around? What would be your recommendations?
Edit: solved by updating to kernel 4.7 which includes the fix for this issue
Last edited by OlaffTheGreat (2016-08-13 10:38:18)
Lenovo Thinkpad x230 i5-3320M 2.6GHz 250GB SSD (M4) 16GB
SSD | SeaBIOS | GPT | BTRFS | OpenRC | Xfce4 | Zsh | Tmux | Spacemacs
* "Aware Newbie" *
Ibus IM for language script support (e.g. 日本語 - 中文)
Offline
#2 2016-08-13 10:17:40
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: [Solved] Serious flaw in RFC5961 - TCP/IP Hijacking risk issue
Permanent fix
For a permanent fix, the 4.7 upstream Linux kernel hardens against this exploit by both randomizing the maximum number challenge acks sent per second, as well as enforcing the per-socket challenge ACK limits in all cases.All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
#3 2016-08-13 10:22:29
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,323
Re: [Solved] Serious flaw in RFC5961 - TCP/IP Hijacking risk issue
https://bbs.archlinux.org/viewtopic.php?id=215796
I read yesterday on theregister.co.uk and here a serious flaw was discovered in the RFC5961 implementation for the kernel 4.7,
The register article does not mention 4.7 that I can see the akamai articles states it is fixed in 4.7
$ sysctl -pFrom man 8 sysctl
-p[FILE], --load[=FILE]
Load in sysctl settings from the file specified or
/etc/sysctl.conf if none given. Specifying - as filename means
reading data from standard input. Using this option will mean
arguments to sysctl are files, which are read in the order they
are specified. The file argument may be specified as regular
expression.
Offline
#4 2016-08-13 10:29:54
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,732
- Website
Re: [Solved] Serious flaw in RFC5961 - TCP/IP Hijacking risk issue
# sysctl -w net.ipv4.tcp_challenge_ack_limit=1500
(not needed for kernel 4.7)
Last edited by Head_on_a_Stick (2016-08-13 10:30:04)
Offline
#5 2016-08-13 10:31:31
- OlaffTheGreat
- Member
- Registered: 2013-06-03
- Posts: 107
Re: [Solved] Serious flaw in RFC5961 - TCP/IP Hijacking risk issue
@loafer
So I read, but the post says after:
We will provide a link to the announcement/presentation when it becomes available. In the meantime, please check out the below for additional information.
This line confused me:
does this mean the fix is not already implemented in the kernel, or it does but not yet documented?
@loqs
oh... I searched "RFC 5961" only as keyword. Missed this post.
@Head_on_a_Stick
Thank you for the tip, I feel closure now!
Last edited by OlaffTheGreat (2016-08-13 10:42:58)
Lenovo Thinkpad x230 i5-3320M 2.6GHz 250GB SSD (M4) 16GB
SSD | SeaBIOS | GPT | BTRFS | OpenRC | Xfce4 | Zsh | Tmux | Spacemacs
* "Aware Newbie" *
Ibus IM for language script support (e.g. 日本語 - 中文)
Offline