Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Linux TCP flaw CVE-2016-5696 allows hackers to hijack net traffic & inject malware remotely

Discussion in 'CentOS, Redhat & Oracle Linux News' started by pamamolf, Aug 12, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:44 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    [​IMG]

    If you are using the Internet, there are the possibilities that you are open to attack.

    The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.

    This issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs.

    Researchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet.

    The vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays.

    The flaw actually resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.

    TCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP.

    Web servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them.

    A team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a proof-of-concept exploit at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic.

    No Need of Man-in-the-Attack Position
    Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
    Typically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message.

    Researchers found that 'Side channels' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties.

    This means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet.

    The researchers detailed their findings in the paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous' [PDF], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website.

    Targeting the Tor Network

    The researchers also show how the flaw (CVE-2016-5696) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network.

    "In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the paper reads.

    "The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."

    The team also provided recommendations on how to mitigate the attack.

    Here's How to Mitigate TCP Attack:

    While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.

    For this, you are required to append the following to /etc/sysctl.conf:
    Code:
    net.ipv4.tcp_challenge_ack_limit = 999999999
    Once done, use sysctl -p to activate the new rule. You need to perform root to do this.

    The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.

    News source: The Hacker News — Cyber Security, Hacking, Technology
     
    Last edited: Aug 12, 2016
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    Thanks for heads up

    TCP Flaw CVE-2016-5696 Workaround



    Update: August 31st, 2016 - CentOS 6 related kernel update fix for this this security flaw was released along with additional security fixes Security - CentOS 6.x Kernel Security Update (reboot required)

    Update: August 21st, 2016 - RedHat has released RHEL7 Kernel update (kernel-3.10.0-327.28.3.el7.x86_64) for TCP fix but RHEL6 does not yet have a Kernel Update. Once Kernel is updated, you would require a server reboot. Full details here.

    Updated both Centmin Mod 123.08stable and 123.09beta01 builds with workaround fixes for TCP Flaw CVE-2016-5696 outlined here. After updating your Centmin Mod installs via below instructions, run centmin.sh once and the workaround will be applied automatically. You can verify the workaround fix is in place via command
    Code (Text):
    sysctl -a | grep ack_limit                                                              
    

    Which should return output of
    Code (Text):
    sysctl -a | grep ack_limit                                                              
    net.ipv4.tcp_challenge_ack_limit = 999999999
    

    Note, OpenVZ VPS systems are unable to adjust TCP values at server level, so need your web host to do it for you.

    If for whatever reason the auto fix doesn't apply, you can do it manually via these 2 commands

    For CentOS 6
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.conf; sysctl -p;
    sysctl -a | grep ack_limit
    

    For CentOS 7
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.d/101-sysctl.conf; sysctl -p;
    sysctl -a | grep ack_limit
    

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    Last edited: Aug 31, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    web host message I am sending my hosts who I have OpenVZ VPS servers with

     
  4. Revenge

    Revenge Active Member

    287
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    6:44 AM
    1.9.x
    10.1.x
    OpenVZ normally uses Kernel 2.6.32. This flaw is only in kernels 3.6+ correct?
     
    • Informative Informative x 1
  5. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Aug 13, 2016
  6. Revenge

    Revenge Active Member

    287
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    6:44 AM
    1.9.x
    10.1.x
    So in case of Centminmod, this will only happen in Centos 7 installations, excluding OpenVZ vps's.
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    may happen on CentOS 6 too if server uses a new kernel i.e. Linode use 4.6+ now

    just double check what kernel your server uses
    Code (Text):
    uname -r
    
     
    Last edited: Aug 12, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    More news at TCP Flaw in Linux Servers Allows Web Traffic Hijacking

     
  9. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    3:44 PM
    [root@aegaegaeg~]# sysctl -a | grep ack_limit
    net.ipv4.tcp_challenge_ack_limit = 100

    uhm am i secure lmao
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Aug 12, 2016
  11. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    3:44 PM
    dedicated and ovh's cloud vps.. no idea :(

    [root@main-ovh ~]# uname -r
    3.10.0-327.28.2.el7.x86_64

    [root@s~]# uname -a
    Linux s.ovh.net 2.6.32-642.1.1.el6.x86_64 #1 SMP Tue May 31 21:57:07 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

    [root@d~]# uname -a
    Linux d.ovh.net 2.6.32-573.26.1.el6.x86_64 #1 SMP Wed May 4 00:57:44 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    see my update reply above yours
     
  13. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    3:44 PM
    ye
    sorry but i'm still ery confused, which one of my three are at a risk.. all?
     
  14. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Aug 12, 2016
  15. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    FYI kernel committed fix if folks are curious kernel/git/torvalds/linux.git - Linux kernel source tree

     
  16. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    @pamamolf please update 1st post with the source news link for that info as well :)
     
  17. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
  18. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
    hmm just a thought though as Redhat and thus CentOS have a tradition of backporting stuff and keeping version number the same, so 2.6.32 could have backported this flaw ??

    edit confirmed RHEL 6 and 7 affected so CentOS 6 and 7 too CVE-2016-5696 - Red Hat Customer Portal

    The web hosts i contacted regarding OpenVZ 2.6.32 kernel based that have so far replied said they are using KernelCare kernel patching service for auto patching CloudLinux - Main | New template so probably already fixed up.
     
  19. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:44 PM
    Nginx 1.13.x
    MariaDB 5.5
  20. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    6:44 AM
    Hi,
    My instances on Vultr have this kernel version:
    Code:
    2.6.32-642.3.1.el6.x86_64
    Do I affected?