You are here

Linux Kernel Vulnerability: Challenge ACK Counter Information Disclosure

linux, kernel, tcp, ack

A flaw was found in the implementation of the Linux kernel handling of networking challenge ACK where an attacker is able to determine the shared counter (CVE-2016-5696). This allows an attacker to reset, inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack [1]. The attacker must be able to spoof the IP address of the victim to conduct the attack.

Airlock WAF is affected. For proper configured SSL/TLS connection the risk is reduced to Denial of Service attacks (TCP connection resets). 


Independent of this vulnerability an attacker with Man In the MIddle (MITM) access can easily manipulate data in unencrypted TCP connections. Therefore, we highly recommend to configure SSL/TLS on all virtual host wherever secrecy and/or integrity is important.

If you want to manually mitigate the vulnerability you can add the following TCP network setting to /etc/sysctl.d/airlock.conf

net.ipv4.tcp_challenge_ack_limit = 999999999

and run

sysctl -p /etc/sysctl.d/airlock.conf

to refresh with the new configuration.

These changes are not update resistant. Applying an update may reset the file content.

Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock