[ubuntu-hardened] CVE-2016-5696: Linux kernel tcp stack implementation (off-path blind TCP session attack).
Marcos Alano
marcoshalano at gmail.com
Sat Aug 13 22:09:23 UTC 2016
If you like to change just use sysctl:
sudo sysctl -w net.ipv4.tcp_challenge_ack_limit=1000
Em sáb, 13 de ago de 2016 às 10:20, daniel curtis <sidetripping at gmail.com>
escreveu:
> Hello.
>
> There is a vulnerability in the Linux kernel's tcp stack implementation
> (kernel versions 3.6 to 4.6) [1]. Since, no patch is available yet, users
> can use sysctl to set the challenge ACK limit.
>
> It seems that Linux kernel (ver. 4.7) resolve this vulnerability by
> randomizing the maximum number challenge ACKs sent per second and enforcing
> the per-socket challenge ACK limits etc.
>
> So, I would like to ask a question: can I change 'tcp_challenge_ack_limit'
> from a default value: '100' (available in 12.04 LTS release) to e.g.
> '1000'?
>
> For more informations see also: [2] and [3].
>
> Best regards.
> _____________
> [1]
> https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html
> [2] https://lists.debian.org/debian-security/2016/08/msg00035.html
> [3] https://security-tracker.debian.org/tracker/CVE-2016-5696
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
--
Marcos H. Alano
Sent from my Android
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160813/3c36cd8c/attachment.html>
More information about the ubuntu-hardened
mailing list