How to mitigate Linux “Off-path” TCP exploits (CVE-2016-5696) in CentOS, RedHat, Ubuntu and Debian
If you have a website, chances are that it’s running on a Linux server. And the latest news is that, Linux servers with kernel versions 3.6 to 4.6 are vulnerable to malware injection attacks.
This was demonstrated on Aug 10th, when security researchers injected phishing content “on the fly” on USA Today website.
The good news is, you can protect your servers. Today, we’ll see how.
What is “Off-path” TCP exploit?
First, a quick word on what this vulnerability is, and how it’s exploited:
Almost all online services like Web, Mail, Chat, etc. work using a protocol called TCP. A couple of security enhancements were made to this protocol in 2010.
Linux was quick to implement these changes, and released them along with kernel version 3.6 released in 2012.
Ironically, these security implementations had a vulnerability (CVE-2016-5696), and allows attackers to hijack an active TCP connection, and inject malware content into it.
This exploit is simple to execute, and can be done without active re-engineering of the whole connection, which is why it’s called an Off-Path attack.
Encrypted sessions are safe from malicious code injection, but attackers can force a session to close. The ability to close down TCP connections at will can give attackers the ability to launch DoS attacks, and in case of ToR connections, channel users into insecure servers.
How to check if your servers are vulnerable?
If you use a Linux server that was updated to the latest version after 2012, it’s likely to be vulnerable.
This is true in the case of Dedicated Servers and VPS instances. However, if you use a container VPS like OpenVZ, you may not be vulnerable.
You can find if you are vulnerable by checking the kernel version. For that, use the command uname, as shown here:
If you see a kernel version anywhere between 3.6 and 4.6, your server is vulnerable.
CentOS / RedHat
CentOS and RedHat versions 6 and 7 are vulnerable.
Ubuntu / Debian
In Ubuntu, 12.04 (LTS), 14.04 (LTS), 16.04 (LTS), and 16.10 are vulnerable.
Debian 7 and 8 are vulnerable.
Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.