Discover Centmin Mod today
Register Now

TCP Flaw CVE-2016-5696 Workaround Update

Discussion in 'Centmin Mod News' started by eva2000, Aug 12, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:18 PM
    Nginx 1.13.x
    MariaDB 5.5

    TCP Flaw CVE-2016-5696 Workaround



    Update: August 21st, 2016 - RedHat has released RHEL7 Kernel update (kernel-3.10.0-327.28.3.el7.x86_64) for TCP fix but RHEL6 does not yet have a Kernel Update. Once Kernel is updated, you would require a server reboot. Full details here.

    Updated both Centmin Mod 123.08stable and 123.09beta01 builds with workaround fixes for TCP Flaw CVE-2016-5696 outlined here. Details for CVE-2016-5696 outlined here. After updating your Centmin Mod installs via below instructions, run centmin.sh once and the workaround will be applied automatically. You can verify the workaround fix is in place via command
    Code (Text):
    sysctl -a | grep ack_limit                                                           
    

    Which should return output of
    Code (Text):
    sysctl -a | grep ack_limit                                                           
    net.ipv4.tcp_challenge_ack_limit = 999999999
    

    Note, OpenVZ VPS systems are unable to adjust TCP values at server level, so need your web host to do it for you

    If for whatever reason the auto fix doesn't apply, you can do it manually via these 2 commands

    For CentOS 6 (FYI some web hosts use custom kernels like Linode with 4.6+ kernels) and well CentOS 6 is affected despite using 2.6.x kernels
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.conf; sysctl -p;
    sysctl -a | grep ack_limit
    


    For CentOS 7
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.d/101-sysctl.conf; sysctl -p;
    sysctl -a | grep ack_limit
    


    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    Last edited: Aug 21, 2016
    • Like Like x 3
    • Informative Informative x 2
    • Winner Winner x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    Just to clarify on Redhat/CentOS both version 6 and 7 are affected with 2.6.x kernels CVE-2016-5696 - Red Hat Customer Portal

     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:18 PM
    Nginx 1.13.x
    MariaDB 5.5
  4. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    Update: August 21st, 2016 - RedHat has released RHEL7 Kernel update (kernel-3.10.0-327.28.3.el7.x86_64) for TCP fix but RHEL6 does not yet have a Kernel Update. Once Kernel is updated, you would require a server reboot. Full details here.
     
Thread Status:
Not open for further replies.