Discover Centmin Mod today
Register Now

Security Linux TCP flaw CVE-2016-5696 allows hackers to hijack net traffic & inject malware remotely

Discussion in 'CentOS, Redhat & Oracle Linux News' started by pamamolf, Aug 12, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes see post here

     
  2. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    4:14 AM
    Hi,
    Updating centminmod local code, but the result is different:
    Code:
    net.ipv4.tcp_challenge_ack_limit = 100
    Is it Okay?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    curious how openvz vps folks are fairing with contacting your web hosts on a weekend regarding this TCP flaw - standard text i am using Security - Linux TCP flaw CVE-2016-5696 allows hackers to hijack net traffic & inject malware remotely | Centmin Mod Community

    so far from 5 web hosts i've contacted via ticketing system
    • 2 web hosts have replied saying they use kernelcare which should have delpoyed a fix for TCP flaw
    • 2 web hosts ticket have yet to reply
    • 1 web host my ticket for it has mysteriously been deleted or maybe placed in some private hold ?
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Woah this is getting petty huge - 1.4 billion Android devices affected by TCP Flaw 1.4 Billion Android Devices Affected by Linux TCP Flaw
    Luckily, all my Android and work PC devices are behind private VPN connections either via OpenVPN or L2TP/IPSEC. There's even free VPN like SurfEasy https://community.centminmod.com/posts/31032/ though the connection is flaky for some regions i.e. Australia
     
  6. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    4:14 AM
    1.9.x
    10.1.x
    How can someone exploit your Android device using this flaw? I believe only if you are in a open Wireless and someone that is also in there wants to hack you. All of this is very unlikely.
    When using free open wifi, i always use a VPN. I think anyone here on centminmod have their own vps/server, so we just need to install openvpn on it, and we can use it then ;)
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed what i do but i use VPN on any wifi connections even home wifi :)
     
  8. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    5:14 AM
    Workaround can be removed.
    Fixed in the upstream kernel.

     
  9. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    thanks for the heads up

    Redhat upstream info CVE-2016-5696 - Red Hat Customer Portal suggests only RHEL7 / CentOS 7 is fixed, RHEL 6 and thus CentOS 6 still don't have Kernel fix so this workaround still applies

    For RedHat 7 / CentOS 7 Red Hat Customer Portal requires server reboot after updating Kernel

    x86_64:
    Code (Text):
    kernel-3.10.0-327.28.3.el7.x86_64.rpm  MD5: a79b3a46a4da4ebcec8d1903e0d7c610
    SHA-256: 3c396a7108961f2e55051ed985c61e2feb87c182c4a54af228a780b01e17b5f9
    kernel-abi-whitelists-3.10.0-327.28.3.el7.noarch.rpm  MD5: a582f408e1cf1bd18c1e5be3ecfe0580
    SHA-256: 0864bfa8f46b7a07b96047049130925143600da416f5a42719f313134adc67f0
    kernel-debug-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 8bae978adafe4ec8fe09848644c396a4
    SHA-256: ecc27744c50ac4d95390665610787ddcbb70779b5f47080c40c5550d255c96b4
    kernel-debug-debuginfo-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 5c808cca99dc0f640eea19a197ba0021
    SHA-256: 4e8cd5f37af299df55210c2f70a2b7dea893afe24a3b1a9a6ed57cc419f3822e
    kernel-debug-devel-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 429ad4bae2b1fb6b0c4e68aa36cf6511
    SHA-256: f368466eb84fe919a355d94571633f148f586dca236722a41bc8e1510ace3de3
    kernel-debuginfo-3.10.0-327.28.3.el7.x86_64.rpm  MD5: ed3e92c2f47ce73c06c45043850b9935
    SHA-256: 64cb093808f76c8e55b606e60fccffcc7cefeaad377341dc0f926aa41643af38
    kernel-debuginfo-common-x86_64-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 1fb08957e31b68b7192ae407be04539f
    SHA-256: 406d829b4431f0f478a2ff805e0b97b19d42cdda4e1824047561d7b2a573e3e6
    kernel-devel-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 1016d650a6401d1ed717294883f93800
    SHA-256: 5e03a10814531dff2532a266d5824ac48deaeb9b7217eab616f78e0579beed96
    kernel-doc-3.10.0-327.28.3.el7.noarch.rpm  MD5: fbbe98420074461362dea88c238da419
    SHA-256: a502f4d247f6f1475b5638423b33242596990ef9c4ef96010afa215c8388e2f2
    kernel-headers-3.10.0-327.28.3.el7.x86_64.rpm  MD5: a3b2f23c85ba18d9b9af4ab1dde3ba37
    SHA-256: b252bbfe6d40f1048de755ee8a0276b49f4b66610c0d6c723b9cc71091f3d0a2
    kernel-tools-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 66f9721824b6efd9311abb6260e29986
    SHA-256: 93537ba8e4f58a949de97328bcfd59c66134177677129972ca96a6ba6767be37
    kernel-tools-debuginfo-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 9d500af15179f4ac69042b1100c25945
    SHA-256: 137d4820889bb5d5b98a34cd2fb9209d78810ce5d49054f09082ef6f5637c55b
    kernel-tools-libs-3.10.0-327.28.3.el7.x86_64.rpm  MD5: b9a7b33ffbf7e4eed31faa6c16d53f7b
    SHA-256: 6fd4f4f1ca6e891fae0987c4c12a1768c62e2ffa494d4b896204f6240c35f9e5
    kernel-tools-libs-devel-3.10.0-327.28.3.el7.x86_64.rpm  MD5: f22a6245ecf300fd721f1e99080a6bc3
    SHA-256: 0c144a9b83d1d62ff3d853dc2e551866e8e861efad8691474d76a728dad1fa99
    perf-3.10.0-327.28.3.el7.x86_64.rpm  MD5: e0f2b04146352aa8bd06baf21824aa60
    SHA-256: 17855a4547a1eaa0571e6c9348a92fd55e0d729eacd86f05121dc6defe3ec974
    perf-debuginfo-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 1377b262986c71dc70231221dc784414
    SHA-256: f338eea13da257eb270bf1faaa8e8156302445dbc3a0537d3a145e89098ac5ed
    python-perf-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 0b4f2c91cb3e0d62030c2a33a6a8bb97
    SHA-256: 819551d3bb8682846e20f58f982158e80417aebfe0a00dc0c28f840d94733f24
    python-perf-debuginfo-3.10.0-327.28.3.el7.x86_64.rpm  MD5: 0ec0605f1d03451d20969fc4a15d8c53
    SHA-256: cc6f3ed10c5b8d56506da5ceb6bfb793c4af1d5719f68af80c6dbaf6a227c9be
    
     
    Last edited: Aug 21, 2016
  10. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    5:14 AM
    Version 6 will follow soon.
    There is always little time between those 6 and 7 releases.

    And in my opinion better that it takes longer than Ubuntu's strategy.
    Ubuntu releases updates often the same day after the (CVE announcement).

    With all its consequences.
    Unstable software by not thoroughly tested. etc.

    I don't understand why Ubuntu is so popular (benefits weighed).
     
  11. SeaTea

    SeaTea Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    5:14 AM
    Nginx:1.11
    MariaDB-10
    My server was updated by yum-cron last night and have manually rebooted just now.
    Do we still need to have:
    Code (Text):
    net.ipv4.tcp_challenge_ack_limit = 999999999

    after this fix ?
    (this is still active in my configuration after the reboot)
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i'd just leave it.. anyway

    yeah it's fine line to between timely updates and just being too late when it comes to security fixes
     
  13. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:14 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Shutdown -h now and power on through myDigital Ocean menu
    OR
    shutdown -r now will be enough?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    DigitalOcean and Linode are different, they use custom fixed kernels. For DO, you need to go into your droplet and select the kernel if it's available. If not ask DO support and be prepared if the server doesn't reboot properly on DO when changing kernels.

    not seeing the updated kernel from droplet listing

    upload_2016-8-21_7-57-52.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh there's another way How To Update a DigitalOcean Server's Kernel | DigitalOcean

     
  16. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:14 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    I use shutdown -h now command every time when creating snapshot, but with this command I have to go after shotdown to control panel and select to power on my server (if creating snapshot, then it power on it self automatically).

    I am just thinking will shutdown -r now command do that "power on" step automatically

    I have kernel upgrade once or twice already (through yum update, nothing special happened on rebooting).
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,599
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:14 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    I did, but...

    Code:
    [root@tvor-ocean ~]# uname -ir
    3.10.0-229.14.1.el7.x86_64 x86_64
    And Yum history clearly shows that it was installed kernel-3.10.0-327.28.3.el7.x86_64

    Code:
    [root@tvor-ocean ~]# yum history info 155
    Loaded plugins: fastestmirror, priorities
    Transaction ID : 155
    Begin time     : Sat Aug 20 22:36:49 2016
    Begin rpmdb    : 770:cb52a847eab29197731d5033867ce20b35261d54
    End time       :            22:38:12 2016 (83 seconds)
    End rpmdb      : 770:5c9bbbad5cfe0159e9397746839ba522503a24d9
    User           : root <root>
    Return-Code    : Success
    Command Line   : update
    Transaction performed with:
        Installed     rpm-4.11.3-17.el7.x86_64                      @base
        Installed     yum-3.4.3-132.el7.centos.0.1.noarch           @base
        Installed     yum-plugin-fastestmirror-1.1.31-34.el7.noarch @base
    Packages Altered:
        Erase   kernel-3.10.0-327.13.1.el7.x86_64            @updates
        Install kernel-3.10.0-327.28.3.el7.x86_64            @updates
        Erase   kernel-devel-3.10.0-327.13.1.el7.x86_64      @updates
        Install kernel-devel-3.10.0-327.28.3.el7.x86_64      @updates
        Updated kernel-headers-3.10.0-327.28.2.el7.x86_64    @updates
        Update                 3.10.0-327.28.3.el7.x86_64    @updates
        Updated kernel-tools-3.10.0-327.28.2.el7.x86_64      @updates
        Update               3.10.0-327.28.3.el7.x86_64      @updates
        Updated kernel-tools-libs-3.10.0-327.28.2.el7.x86_64 @updates
        Update                    3.10.0-327.28.3.el7.x86_64 @updates
        Updated python-perf-3.10.0-327.28.2.el7.x86_64       @updates
        Update              3.10.0-327.28.3.el7.x86_64       @updates
    history info
    I tried with poweroff command, and then power on through Digital Ocean panel
    And also tried with reboot command
     
  19. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:14 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    I am confused

    Code:
    [root@tvor-ocean ~]# yum list --showduplicates kernel
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: mirror.imt-systems.com
    * epel: mirror.imt-systems.com
    * extras: mirror.23media.de
    * updates: mirror.eu.oneandone.net
    128 packages excluded due to repository priority protections
    Installed Packages
    kernel.x86_64                   3.10.0-229.14.1.el7                    @updates
    kernel.x86_64                   3.10.0-327.18.2.el7                    @updates
    kernel.x86_64                   3.10.0-327.22.2.el7                    @updates
    kernel.x86_64                   3.10.0-327.28.2.el7                    @updates
    kernel.x86_64                   3.10.0-327.28.3.el7                    @updates
    Available Packages
    kernel.x86_64                   3.10.0-327.el7                         base   
    kernel.x86_64                   3.10.0-327.3.1.el7                     updates
    kernel.x86_64                   3.10.0-327.4.4.el7                     updates
    kernel.x86_64                   3.10.0-327.4.5.el7                     updates
    kernel.x86_64                   3.10.0-327.10.1.el7                    updates
    kernel.x86_64                   3.10.0-327.13.1.el7                    updates
    kernel.x86_64                   3.10.0-327.18.2.el7                    updates
    kernel.x86_64                   3.10.0-327.22.2.el7                    updates
    kernel.x86_64                   3.10.0-327.28.2.el7                    updates
    kernel.x86_64                   3.10.0-327.28.3.el7                    updates 
     
  20. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:14 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Ah, solved.

    Had to switch to the GrubLoader.
    After rebooting

    Code:
    [root@tvor-ocean ~]# uname -ir
    3.10.0-327.28.3.el7.x86_64 x86_64
    :)