This article is more than 1 year old
Debian plugs Linux 'TCP snoop' bug
Happy Labor Day, US sysadmins. Everyone else, you know what to do
Debian's maintainers have moved to plug the TCP snooping flaw that emerged in August 2016.
The bug, CVE-2016-5696, was spotted by University of California Riverside's Zhiyun Qian and his collaborators and published in August.
It enabled an attack against Linux (and Android) implementations of RFC 5961, which used challenge ACK packets to try and harden Linux. The implementation bug, present in the kernel since 2012, meant targets could be fooled into rate-limiting their challenge ACKs, letting an attacker work out sequence numbering when it resumed.
When they presented their research at Usenix, Qian's group also showed how the bug could be exploited to force Tor users through particular exit relays.
There's also patches for:
- CVE-2016-6136 – a double-fetch bug with much more limited impact (an attacker can create misleading log entries);
- CVE-2016-6480 – a minor double-fetch bug; and
- CVE-2016-6828, which the Bugtraq http://seclists.org/bugtraq/2016/Sep/2 announcement says might create local denial-of-service vectors.
The vulns have been fixed in 3.16.36-1+deb8u1, and the devs rolled up other planned bug fixes in the same release. ®
Biting the hand that feeds IT
