You are here
Linux Kernel Vulnerability: Challenge ACK Counter Information Disclosure
Last update on 19. January 2017 - 14:56.
A flaw was found in the implementation of the Linux kernel handling of networking challenge ACK where an attacker is able to determine the shared counter (CVE-2016-5696). This allows an attacker to reset, inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack [1]. The attacker must be able to spoof the IP address of the victim to conduct the attack.
Airlock WAF is affected. For proper configured SSL/TLS connection the risk is reduced to Denial of Service attacks (TCP connection resets).
Independent of this vulnerability an attacker with Man In the MIddle (MITM) access can easily manipulate data in unencrypted TCP connections. Therefore, we highly recommend to configure SSL/TLS on all virtual host wherever secrecy and/or integrity is important.
If you want to manually mitigate the vulnerability you can add the following TCP network setting to /etc/sysctl.d/airlock.conf
net.ipv4.tcp_challenge_ack_limit = 999999999
and run
sysctl -p /etc/sysctl.d/airlock.conf
to refresh with the new configuration.
These changes are not update resistant. Applying an update may reset the file content.