[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (OT kinda) Newly-discovered TCP flaw

I did some web surfing when this thread was posted, to try to track
down *which kernel versions* are affected by this TCP security flaw.
I haven't seen this information posted yet.

http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf says:
"The feature is outlined in RFC 5961, which is implemented faithfully
in Linux kernel version 3.6 from late 2012."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696 says:
"net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly
determine the rate of challenge ACK segments, which makes it easier
for man-in-the-middle attackers to hijack TCP sessions via a blind
in-window attack."

So the flaw appears to be in Linux kernels from 3.6 to 4.6 inclusive,
which includes Jessie (3.16) but not Wheezy (3.2) or earlier.
The jessie-backports kernel right now is 4.6, but only for a brief
time.  The last plan I saw was for Stretch to ship with 4.10, which
should include the fix for this flaw.

Now on to the thread:

On Fri, Aug 12, 2016 at 10:42:36AM -0400, rhkramer@gmail.com wrote:
> In the README for sysctl on my wheezy system, it says "configure kernel 
> parameters at runtime".

Not on mine.

greg@remote:~$ grep run /etc/sysctl.d/README.sysctl
greg@remote:~$ 

> I may be having a senior moment, but, atm, I'm not completely sure what 
> runtime means

"At boot time", I would think.  But I don't know where your file actually
came from, so my guesses about the author's intent might be somewhat off.

README.sysctl is short enough to post in its entirety here, so this is
what mine says on a wheezy system:

======================================================================
Kernel system variables configuration files

Files found under the /etc/sysctl.d directory that end with .conf are
parsed within sysctl(8) at boot time.  If you want to set kernel variables
you can either edit /etc/sysctl.conf or make a new file.

The filename isn't important, but don't make it a package name as it may clash
with something the package builder needs later. It must end with .conf though.

My personal preference would be for local system settings to go into
/etc/sysctl.d/local.conf but as long as you follow the rules for the names
of the file, anything will work. See sysctl.conf(8) man page for details
of the format.
======================================================================
Reply to: