Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: RFC 5961 TCP ACK vulnerability

Hybrid View

  1. #1

    Question RFC 5961 TCP ACK vulnerability

    This bug was just public today.
    I have several machines running SUSE Linux Enterprise Server from version 10 to 12 SP1.
    How can I tell if any of these SLES are having the RFC 5961?

    Thank you,

  2. #2

    Re: RFC 5961 TCP ACK vulnerability

    Based on the dates, probably vulnerable since 2012 was long ago and SLES
    12 came out since then.

    With that in mind, have you tried the configuration change to fix this?

    Code:
    echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf;
    sysctl -p
    I'm having a hard time finding the CVE for this for some reason, but if
    there is one then searching on SUSE's site for CVE information is pretty
    easy from the list of all of them ever: https://www.suse.com/security/cve/

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3

    Re: RFC 5961 TCP ACK vulnerability

    Quote Originally Posted by ab View Post
    Based on the dates, probably vulnerable since 2012
    No this vulnerable was just announced today.

  4. #4

    Re: RFC 5961 TCP ACK vulnerability

    On 11/08/16 17:14, pasiit wrote:

    > 'This bug'
    > (http://www.theregister.co.uk/2016/08...ommunications/)
    > was just public today.
    > I have several machines running SUSE Linux Enterprise Server from
    > version 10 to 12 SP1.
    > How can I tell if any of these SLES are having the RFC 5961?


    From the bug report attached to
    https://www.suse.com/security/cve/CVE-2016-5696.html it looks like this
    might affect SLE12 kernels with a feature backported for SLE11 SP3 and
    SP4 (but you'll need Long Term Service Pack Support for any patches
    released for SLE11 SP3).

    Note that if you're concerned about security you should have already
    upgraded/migrated servers running old, unsupported versions of SLES to
    current releases SLES11 SP4 or SLES12 SP1.

    HTH.
    --
    Simon
    SUSE Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------

  5. #5

    Re: RFC 5961 TCP ACK vulnerability

    From the bug report attached to
    https://www.suse.com/security/cve/CVE-2016-5696.html it looks like this
    might affect SLE12 kernels with a feature backported for SLE11 SP3 and
    SP4 (but you'll need Long Term Service Pack Support for any patches
    released for SLE11 SP3).
    Hi Simon,

    Thank you for responding.
    Your provided CVE does not mention anything about the vulnerability with the RFC 5961.
    I can't understand how you can determine that this RFC5961 vulnerability affect all SLES?

    Best regards,

  6. #6

    Re: RFC 5961 TCP ACK vulnerability

    The bug linked to that CVE is for this issue, so SUSE is working on the
    issue as Bug# 989152.

    See the public comments here:
    https://bugzilla.suse.com/show_bug.cgi?id=989152

    Of particular interest:
    ....Therefore SLE11-SP3-LTSS, SLE11-SP4 and newer kernels (except
    master/stable which already have the fix via 4.7) need commit 75ff39ccc1bd.



    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  7. #7

    Re: RFC 5961 TCP ACK vulnerability

    On 11/08/16 18:54, pasiit wrote:

    > Thank you for responding.
    > Your provided CVE does not mention anything about the vulnerability with
    > the RFC 5961.


    http://lmgtfy.com/?q=rfc+5961+cve

    That gave me CVE-2016-5696 so I then hit SUSE's security pages.

    > I can't understand how you can determine that this RFC5961 vulnerability
    > affect all SLES?


    As ab said, from the publicly viewable comments of bug 989152 linked to
    the SUSE CVE page, specifically comment 3[1].

    HTH.

    [1] https://bugzilla.suse.com/show_bug.cgi?id=989152#c3
    --
    Simon
    SUSE Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------

  8. #8

    Re: RFC 5961 TCP ACK vulnerability

    That bug post Michal said: "need commit 75ff39ccc1bd".
    What is 75ff39ccc1bd?

    Thank you,

  9. #9

    Re: RFC 5961 TCP ACK vulnerability

    On 08/12/2016 08:14 AM, pasiit wrote:
    >
    >>
    >>
    >> [1] https://bugzilla.suse.com/show_bug.cgi?id=989152#c3
    >>

    >
    > That bug post Michal said: "need commit 75ff39ccc1bd".
    > What is 75ff39ccc1bd?


    Commits in git (and possibly other distributed version control systems)
    are identified by a hash of their contents, which are represented by the
    minimum amount needed to uniquely identify hem; in this case, the commit
    (probably to the kernel since I assume that is where this RFC was
    implemented as part of the TCP/IP stack) identifier is that string.

    You should not need to worry about that; if you want to know if your
    installed kernel has a fix, search for the CVE number or the Bug# in the
    kernel's package metadata; for example:

    Code:
    rpm -q --changelog kernel-default | less
    Search through and you should see several notes about bug fixes, and
    eventually the one above. You could also, if really motivated, pull down
    the 'kernel-source' package and search through it for the fix as shown in
    other bug comments (bleh). It looks like the 'net/ipv4/tcp_input.c' and
    Documentation/networking/ip-sysctl.txt files were updated/created, in
    particular changing sysctl_tcp_challenge_ack_limit from 100 to 1000 by
    default, along with some other code changes you can see.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  10. #10

    Re: RFC 5961 TCP ACK vulnerability


    Code:
    rpm -q --changelog kernel-default | less
    I found out that my SLES10 machines don't have the file /proc/sys/net/ipv4/tcp_challenge_ack_limit.
    Base on some reading, this's mean the machines don'e have the RFC5961. Therefore, these machines are not affected.

    I did a
    Code:
    rpm -q --changelog kernel-default | grep 75ff39ccc1bd
    on the affected machines (SLES11 -> 12) and nothing come up.
    Does this mean these machines are not patched for this vulnerable?

    Does the command
    Code:
    sysctl -p
    affect any thing on the running system (such as, restart service, stop something temporally)?

    Thank you,

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •