If you have a website, chances are that it’s running on a Linux server. And the latest news is that, Linux servers with kernel versions 3.6 to 4.6 are vulnerable to malware injection attacks.

This was demonstrated on Aug 10th, when security researchers injected phishing content “on the fly” on USA Today website.

The good news is, you can protect your servers. Today, we’ll see how.

What is “Off-path” TCP exploit?

First, a quick word on what this vulnerability is, and how it’s exploited:

Almost all online services like Web, Mail, Chat, etc. work using a protocol called TCP. A couple of security enhancements were made to this protocol in 2010.

RFC document 5961 suggested a series of security enhancements to TCP

Linux was quick to implement these changes, and released them along with kernel version 3.6 released in 2012.

Ironically, these security implementations had a vulnerability (CVE-2016-5696), and allows attackers to hijack an active TCP connection, and inject malware content into it.

This exploit is simple to execute, and can be done without active re-engineering of the whole connection, which is why it’s called an Off-Path attack.

Encrypted sessions are safe from malicious code injection, but attackers can force a session to close. The ability to close down TCP connections at will can give attackers the ability to launch DoS attacks, and in case of ToR connections, channel users into insecure servers.

How to check if your servers are vulnerable?

If you use a Linux server that was updated to the latest version after 2012, it’s likely to be vulnerable.

This is true in the case of Dedicated Servers and VPS instances. However, if you use a container VPS like OpenVZ, you may not be vulnerable.

You can find if you are vulnerable by checking the kernel version. For that, use the command uname, as shown here:

Kernels v3.6 to v4.6 are vulnerable

If you see a kernel version anywhere between 3.6 and 4.6, your server is vulnerable.

CentOS / RedHat

CentOS and RedHat versions 6 and 7 are vulnerable.

Ubuntu / Debian

In Ubuntu, 12.04 (LTS), 14.04 (LTS), 16.04 (LTS), and 16.10 are vulnerable.

Debian 7 and 8 are vulnerable.

What’s the permanent fix?

Linux has already released a patch for this, but this is yet to distributed by vendors such as RedHat, Debian, etc. You’ll need to upgrade your kernel to v4.6 or above.

However, this might take a few more days to happen.

Until then, there’s a work around to keep your systems and your customers safe.

How to mitigate the “Off-path” attack?

The exploit depends on the attacker’s ability to make the server give up an active TCP connection. Once the server leaves a connection hanging, the attacker masquerades as the server and send the visitor malware.

So, as a work around, make your server never give up an active connection.

For that, change the value of net.ipv4.tcp_challenge_ack_limit in /etc/sysctl.conf to a very high value like “999999999“.

net.ipv4.tcp_challenge_ack_limit = 999999999

Then, load this new setting by using the command:

# sysctl -p

Note that these changes are applicable if you have a dedicated server or a hard virtualized VPS. If you have container virtualization or if you are not sure how these changes might affect your server, we recommend you to get it looked at by a sysadmin.

In short..

TCP is the de-facto protocol used in internet services. A couple of changes implemented to bolster security resulted in a vulnerability that allows attackers to hijack TCP sessions, and inject malware in to websites. Today we’ve seen how to mitigate that in popular Linux servers such as CentOS, RedHat, Ubuntu and Debian until a full patch is available.

Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.