How do I protect my system against the Off-path TCP exploit in Linux?
According to LWN there is a mitigation which can be used while you do not have a patched kernel:
there is a mitigation available in the form of the
tcp_challenge_ack_limit
sysctl
knob. Setting that value to something enormous (e.g.999999999
) will make it much harder for attackers to exploit the flaw.
You should set it by creating a file in /etc/sysctl.d
and then implementing it with sysctl -a
. Open a terminal (press Ctrl+Alt+T), and run:
sudo -i
echo "# CVE-2016-5696
net.ipv4.tcp_challenge_ack_limit = 999999999
" > /etc/sysctl.d/security.conf
sysctl -a
exit
By the way, you can track the state of this vulnerability on Debian in the security tracker.
You tagged this question debian, so I will assume that you are running a Linux-based Debian system.
The relevant patch that fixes this bug is small and relatively isolated, making it a prime candidate for backporting.
Debian is usually quite good about backporting security-related fixes to the software versions that they are shipping on supported distribution releases. Their security advisories list for 2016 currently lists eight security advisories relating to the Linux kernel (linux
and linux-2.6
packages), the most recent being DSA-3616 on July 4. The patch for the bug you mention was committed to the source code tree a week later, on July 11.
Security support for Wheezy is with the LTS (Long-Term Support) team until 31 May 2018, and Jessie is currently receiving normal security updates by virtue of being the current release.
I would expect a security patch soonish against supported Debian releases suffering from this bug.
It's also possible that the kernels shipped by Debian are not vulnerable. The CVE does say "before 4.7", but I doubt that statement can be taken at literal face value; the relevant code had probably not been introduced in the first public release of the Linux kernel (in 1991 or so) so there must logically exist kernel versions which meet the criteria of being earlier than version 4.7 but which are not vulnerable. I have not checked to see whether this applies to those kernels being shipped by current Debian releases.
If you are running an unsupported Debian release which is vulnerable to this bug, or if you require an immediate fix, then you might have to backport the fix manually or upgrade to a more recent release at least of the kernel itself.