Select Page

How to mitigate Linux “Off-path” TCP exploits (CVE-2016-5696) in CentOS, RedHat, Ubuntu and Debian

How to mitigate Linux “Off-path” TCP exploits (CVE-2016-5696) in CentOS, RedHat, Ubuntu and Debian

If you have a website, chances are that it’s running on a Linux server. And the latest news is that, Linux servers with kernel versions 3.6 to 4.6 are vulnerable to malware injection attacks.

This was demonstrated on Aug 10th, when security researchers injected phishing content “on the fly” on USA Today website.

The good news is, you can protect your servers. Today, we’ll see how.

What is “Off-path” TCP exploit?

First, a quick word on what this vulnerability is, and how it’s exploited:

Almost all online services like Web, Mail, Chat, etc. work using a protocol called TCP. A couple of security enhancements were made to this protocol in 2010.

"Off-path" TCP attacks

RFC document 5961 suggested a series of security enhancements to TCP

Linux was quick to implement these changes, and released them along with kernel version 3.6 released in 2012.

Ironically, these security implementations had a vulnerability (CVE-2016-5696), and allows attackers to hijack an active TCP connection, and inject malware content into it.

This exploit is simple to execute, and can be done without active re-engineering of the whole connection, which is why it’s called an Off-Path attack.

Encrypted sessions are safe from malicious code injection, but attackers can force a session to close. The ability to close down TCP connections at will can give attackers the ability to launch DoS attacks, and in case of ToR connections, channel users into insecure servers.

How to check if your servers are vulnerable?

If you use a Linux server that was updated to the latest version after 2012, it’s likely to be vulnerable.

This is true in the case of Dedicated Servers and VPS instances. However, if you use a container VPS like OpenVZ, you may not be vulnerable.

You can find if you are vulnerable by checking the kernel version. For that, use the command uname, as shown here:

"Off-path" TCP attack - Check Linux kernel version

Kernels v3.6 to v4.6 are vulnerable

If you see a kernel version anywhere between 3.6 and 4.6, your server is vulnerable.

CentOS / RedHat

CentOS and RedHat versions 6 and 7 are vulnerable.

Ubuntu / Debian

In Ubuntu, 12.04 (LTS), 14.04 (LTS), 16.04 (LTS), and 16.10 are vulnerable.

Debian 7 and 8 are vulnerable.

Are your servers vulnerable?

We can help you patch your servers, do a full-site security testing and secure your services from attacks.


Emergency services provided at $49/hr

Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.