Is there a workaround for the RFC 5961 Linux TCP flaw?

kernel security networking server client

Solution 1:

Note: The Workaround section has been kept for historical reasons, however please skip down to the Fix section below.

Workaround:

As stated here:

The good news -- and, yes, there is good news -- is it's easy to fix. First, Linux itself is being patched to stop the attack vector in its track. Next, you simply raise the 'challenge ACK limit' to an extremely large value to make it practically impossible to exploit the side channel problem that enabled the attack to work.

As this issue affects both the client and server, or in fact any two Linux machines talking over the network, it is important to implement the workaround in both, and the fix as soon as it is released.

In order to implement the workaround do the following:

  1. Open the config file with: sudoedit /etc/sysctl.conf
  2. Insert the line net.ipv4.tcp_challenge_ack_limit = 999999999 into the file and save it
  3. Run sudo sysctl -p to update the configuration

You can also do the operation directly from Terminal:

sudo bash -c 'echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >>/etc/sysctl.conf'

Or:

echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' | sudo tee -a /etc/sysctl.conf

Then run:

sudo sysctl -p

Fix:

As stated here:

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly
determine the rate of challenge ACK segments, which makes it easier for
man-in-the-middle attackers to hijack TCP sessions via a blind in-window
attack.
...
sbeattie> fix is going to land in Ubuntu kernels in this SRU cycle,  
with a likely release date of Aug 27. Earlier access to the kernels  
with the fix will be available from the -proposed pocket, though they 
come with the risk of being less tested.

And a fix has now been released:

linux (4.4.0-36.55) xenial; urgency=low

  [ Stefan Bader ]

  * Release Tracking Bug
    - LP: #1612305

  * I2C touchpad does not work on AMD platform (LP: #1612006)
    - SAUCE: pinctrl/amd: Remove the default de-bounce time

  * CVE-2016-5696
    - tcp: make challenge acks less predictable

 -- Stefan Bader <[email protected]>  Thu, 11 Aug 2016 17:34:14 +0200

Run:

sudo apt-get update
sudo apt-get dist-upgrade

To make sure you have the latest version. Or use the Software Updater if you would prefer to update through the GUI.

You can check which version you are running and which is available with:

apt-cache policy linux-image-generic

Related

How to install gnome shell extensions offline?
How to remove Nvidia HDMI audio output in PulseAudio?
What is the command line equivalent for the update manager (Software Updater)?
What is "/dev/mapper/ubuntu--vg--root"?
"E: Unable to locate package update" when I try to update my system, why?
How to set up a system for UK medical practise
Message "Sparse file not allowed" after installing on a btrfs filesystem
Reading package list takes forever
How to remove items from Places sidebar in Nautilus 3.6? [duplicate]
How to Setup FTP to use in locally hosted wordpress
What is hashCode used for? Is it unique?
Storing R.drawable IDs in XML array