Partner with experts to accelerate your digital transformation journey
Bobcares

How to mitigate Linux “Off-path” TCP exploits (CVE-2016-5696) in CentOS, RedHat, Ubuntu and Debian

PDF Header PDF Footer

If you have a website, chances are that it’s running on a Linux server. And the latest news is that, Linux servers with kernel versions 3.6 to 4.6 are vulnerable to malware injection attacks.

This was demonstrated on Aug 10th, when security researchers injected phishing content “on the fly” on USA Today website.

The good news is, you can protect your servers. Today, we’ll see how.

What is “Off-path” TCP exploit?

First, a quick word on what this vulnerability is, and how it’s exploited:

Almost all online services like Web, Mail, Chat, etc. work using a protocol called TCP. A couple of security enhancements were made to this protocol in 2010.

"Off-path" TCP attacks

RFC document 5961 suggested a series of security enhancements to TCP

Linux was quick to implement these changes, and released them along with kernel version 3.6 released in 2012.

Ironically, these security implementations had a vulnerability (CVE-2016-5696), and allows attackers to hijack an active TCP connection, and inject malware content into it.

This exploit is simple to execute, and can be done without active re-engineering of the whole connection, which is why it’s called an Off-Path attack.

Encrypted sessions are safe from malicious code injection, but attackers can force a session to close. The ability to close down TCP connections at will can give attackers the ability to launch DoS attacks, and in case of ToR connections, channel users into insecure servers.

How to check if your servers are vulnerable?

If you use a Linux server that was updated to the latest version after 2012, it’s likely to be vulnerable.

This is true in the case of Dedicated Servers and VPS instances. However, if you use a container VPS like OpenVZ, you may not be vulnerable.

You can find if you are vulnerable by checking the kernel version. For that, use the command uname, as shown here:

"Off-path" TCP attack - Check Linux kernel version

Kernels v3.6 to v4.6 are vulnerable

If you see a kernel version anywhere between 3.6 and 4.6, your server is vulnerable.

CentOS / RedHat

CentOS and RedHat versions 6 and 7 are vulnerable.

Ubuntu / Debian

In Ubuntu, 12.04 (LTS), 14.04 (LTS), 16.04 (LTS), and 16.10 are vulnerable.

Debian 7 and 8 are vulnerable.

What’s the permanent fix?

Linux has already released a patch for this, but this is yet to distributed by vendors such as RedHat, Debian, etc. You’ll need to upgrade your kernel to v4.6 or above.

However, this might take a few more days to happen.

Until then, there’s a work around to keep your systems and your customers safe.

How to mitigate the “Off-path” attack?

The exploit depends on the attacker’s ability to make the server give up an active TCP connection. Once the server leaves a connection hanging, the attacker masquerades as the server and send the visitor malware.

So, as a work around, make your server never give up an active connection.

For that, change the value of net.ipv4.tcp_challenge_ack_limit in /etc/sysctl.conf to a very high value like “999999999“.

net.ipv4.tcp_challenge_ack_limit = 999999999

Then, load this new setting by using the command:

# sysctl -p

Note that these changes are applicable if you have a dedicated server or a hard virtualized VPS. If you have container virtualization or if you are not sure how these changes might affect your server, we recommend you to get it looked at by a sysadmin.

In short..

TCP is the de-facto protocol used in internet services. A couple of changes implemented to bolster security resulted in a vulnerability that allows attackers to hijack TCP sessions, and inject malware in to websites. Today we’ve seen how to mitigate that in popular Linux servers such as CentOS, RedHat, Ubuntu and Debian until a full patch is available.

Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.

Are your servers vulnerable?

We can help you patch your servers, do a full-site security testing and secure your services from attacks.

SECURE MY SERVER

Emergency services provided at $49/hr


Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Get featured on the Bobcares blog and share your expertise with a global tech audience.

WRITE FOR US
server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Speed issues driving customers away?
We’ve got your back!

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF