CVE-2016-5696: Infoleak
First published: Tue Jul 12 2016(Updated: )
A flaw was found in the implementation of the Linux kernels handling of networking challenge ack where an attacker is able to determine the shared counter. This may allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack. OSS-Security post: <a href="http://seclists.org/oss-sec/2016/q3/44">http://seclists.org/oss-sec/2016/q3/44</a> Upstream patch: <a href="https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758">https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Android | <=7.0 | |
| Oracle VM Server | =3.3 | |
| Oracle VM Server | =3.4 | |
| Linux Linux kernel | <=4.6.6 | |
| redhat/kernel | <4.7.1 | 4.7.1 |
| redhat/kernel | <4.6.7 | 4.6.7 |
| redhat/kernel | <4.4.18 | 4.4.18 |
| redhat/kernel | <3.14.76 | 3.14.76 |
| Google Android | ||
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.5-1 6.12.6-1 |
Remedy
Set the net.ipv4.tcp_challenge_ack_limit sysctl to some absurdly large number (as described in the lwn article referenced above)
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/07/12/2
- http://www.prnewswire.com/news-releases/mitnick-attack-reappears-at-geekpwn-macau-contest-300270779.html
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
- https://bugzilla.redhat.com/show_bug.cgi?id=1354708
- https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- https://github.com/Gnoxter/mountain_goat
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://source.android.com/security/bulletin/2016-10-01.html
- https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf
- http://rhn.redhat.com/errata/RHSA-2016-1814.html
- http://rhn.redhat.com/errata/RHSA-2016-1815.html
- http://rhn.redhat.com/errata/RHSA-2016-1631.html
- http://rhn.redhat.com/errata/RHSA-2016-1632.html
- http://rhn.redhat.com/errata/RHSA-2016-1633.html
- http://rhn.redhat.com/errata/RHSA-2016-1657.html
- http://rhn.redhat.com/errata/RHSA-2016-1664.html
- http://www.ubuntu.com/usn/USN-3070-2
- http://www.ubuntu.com/usn/USN-3070-3
- http://www.ubuntu.com/usn/USN-3070-4
- http://www.ubuntu.com/usn/USN-3070-1
- http://www.ubuntu.com/usn/USN-3071-1
- http://www.ubuntu.com/usn/USN-3071-2
- http://www.ubuntu.com/usn/USN-3072-1
- http://www.ubuntu.com/usn/USN-3072-2
- http://www.securityfocus.com/bid/91704
- http://www.securitytracker.com/id/1036625
- https://bto.bluecoat.com/security-advisory/sa131
- https://kc.mcafee.com/corporate/index?page=content&id=SB10167
- http://rhn.redhat.com/errata/RHSA-2016-1939.html
- https://security.paloaltonetworks.com/CVE-2016-5696
- https://www.arista.com/en/support/advisories-notices/security-advisories/1461-security-advisory-23
- https://launchpad.net/bugs/cve/CVE-2016-5696
- https://kc.mcafee.com/corporate/index?page=content&id=SB10167
- http://seclists.org/oss-sec/2016/q3/44
- https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1355615
- https://www.mail-archive.com/netdev@vger.kernel.org/msg118824.html
- http://lwn.net/Articles/696868/
- https://access.redhat.com/security/cve/CVE-2016-5389
- https://access.redhat.com/security/cve/CVE-2016-5969
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1354708#c24
- https://rhn.redhat.com/errata/RHSA-2016-1632.html
- https://rhn.redhat.com/errata/RHSA-2016-1631.html
- https://rhn.redhat.com/errata/RHSA-2016-1633.html
- https://rhn.redhat.com/errata/RHSA-2016-1657.html
- https://rhn.redhat.com/errata/RHSA-2016-1664.html
- https://rhn.redhat.com/errata/RHSA-2016-1814.html
- https://rhn.redhat.com/errata/RHSA-2016-1815.html
- https://rhn.redhat.com/errata/RHSA-2016-1939.html
- https://source.android.com/docs/security/bulletin/2016-10-01 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
- https://nvd.nist.gov/vuln/detail/CVE-2016-5696
- https://security-tracker.debian.org/tracker/CVE-2016-5696
- https://ubuntu.com/security/CVE-2016-5696
- https://github.com/torvalds/linux/commit/282f23c6ee343126156dd41218b22ece96d747e3
Frequently Asked Questions
What is CVE-2016-5696?
CVE-2016-5696 is a vulnerability in the Linux kernel before version 4.7 that allows remote attackers to hijack TCP sessions via a blind in-window attack.
How does CVE-2016-5696 affect Linux?
CVE-2016-5696 affects the Linux kernel versions before 4.7, making it vulnerable to remote attackers who can hijack TCP sessions.
How severe is CVE-2016-5696?
CVE-2016-5696 is considered a high severity vulnerability with a severity value of 7.
Which software versions are affected by CVE-2016-5696?
Linux kernel versions before 4.7, such as 3.2.0-1672.98, are affected by CVE-2016-5696.
Is there a fix available for CVE-2016-5696?
Yes, updating the Linux kernel to version 4.7 or later will fix the vulnerability.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5696
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/android-source
- source/Android
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/google
- canonical/google android
- version/google android/7.0
- vendor/oracle
- canonical/oracle vm server
- version/oracle vm server/3.3
- version/oracle vm server/3.4
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/4.6.6
- package-manager/redhat
- package-manager/debian