Researchers have discovered a flaw in the Linux kernel’s TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting, that could allow an off-path attacker to inject payload into unsecured TCP connections.
All Red Hat customers with affected products deployments are recommended to apply mitigations to their systems until the updated kernel packages are available. Recommended mitigations can be found under the Resolve tab.
Red Hat would like to thank Yue Cao of the Cyber Security Group in the CS Department of the University of California, Riverside for reporting this issue.
Red Hat Product Security has rated this update as having a security impact of Important .
The following Red Hat Product versions are impacted, earlier versions are not affected:
- Red Hat Enterprise Linux 6.5 and later
- Red Hat Enterprise Linux 7
- Red Hat Enterprise MRG 2
Attack description and impact
This flaw allows an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two given endpoints on the network.
By setting net.ipv4.tcp_challenge_ack_limit to arbitrary high value we can effectively disable challenge ACK rate limiting, avoid the congestion and thus close the information side channel.
Edit the /etc/sysctl.conf file as root, and add or amend:
To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.
Verify that net.ipv4.tcp_challenge_ack_limit is now set to defined value:
$ /sbin/sysctl net.ipv4.tcp_challenge_ack_limit net.ipv4.tcp_challenge_ack_limit = 2147483647
Updates for Affected Products
Fixes for all impacted products will be released in forthcoming update.
|Red Hat Enterprise Linux 6.5||kernel||RHSA-2016:1814|
|Red Hat Enterprise Linux 6.6||kernel||RHSA-2016:1939|
|Red Hat Enterprise Linux 6.7||kernel||RHSA-2016:1815|
|Red Hat Enterprise Linux 6.8||kernel||RHSA-2016:1664|
|Red Hat Enterprise Linux 7.1||kernel||RHSA-2016:1657|
|Red Hat Enterprise Linux 7.2||kernel||RHSA-2016:1633|
|Red Hat Enterprise Linux 7.2||kernel-rt||RHSA-2016:1632|
|Red Hat Enterprise MRG 2||realtime-kernel||RHSA-2016:1631|
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.