How to mitigate Linux “Off-path” TCP exploits (CVE-2016-5696) in CentOS, RedHat, Ubuntu and Debian
What’s the permanent fix?
Linux has already released a patch for this, but this is yet to distributed by vendors such as RedHat, Debian, etc. You’ll need to upgrade your kernel to v4.6 or above.
However, this might take a few more days to happen.
Until then, there’s a work around to keep your systems and your customers safe.
How to mitigate the “Off-path” attack?
The exploit depends on the attacker’s ability to make the server give up an active TCP connection. Once the server leaves a connection hanging, the attacker masquerades as the server and send the visitor malware.
So, as a work around, make your server never give up an active connection.
For that, change the value of net.ipv4.tcp_challenge_ack_limit in /etc/sysctl.conf to a very high value like “999999999“.
net.ipv4.tcp_challenge_ack_limit = 999999999
Then, load this new setting by using the command:
# sysctl -p
Note that these changes are applicable if you have a dedicated server or a hard virtualized VPS. If you have container virtualization or if you are not sure how these changes might affect your server, we recommend you to get it looked at by a sysadmin.
TCP is the de-facto protocol used in internet services. A couple of changes implemented to bolster security resulted in a vulnerability that allows attackers to hijack TCP sessions, and inject malware in to websites. Today we’ve seen how to mitigate that in popular Linux servers such as CentOS, RedHat, Ubuntu and Debian until a full patch is available.
Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.
Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.