我最近读到了thisLinux TCP漏洞(CVE-2016-5696),它允许攻击者破坏或劫持在运行Linux的两台机器之间的连接(例如Web服务器和客户端)。我了解到,这个问题在2012年引入了Linux内核版本3.6,并影响所有更新的版本。
目前还没有发布此问题的修复程序(截至本文撰写时),但是否有任何解决方法,因为这是一个相当重要的错误?
目前还没有发布此问题的修复程序(截至本文撰写时),但是否有任何解决方法,因为这是一个相当重要的错误?
sudoedit /etc/sysctl.conf
net.ipv4.tcp_challenge_ack_limit = 999999999
,然后保存文件sudo sysctl -p
来更新配置您也可以直接从终端执行此操作:
sudo bash -c 'echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >>/etc/sysctl.conf'
或者:
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
如此处所述:
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly
determine the rate of challenge ACK segments, which makes it easier for
man-in-the-middle attackers to hijack TCP sessions via a blind in-window
attack.
...
sbeattie> fix is going to land in Ubuntu kernels in this SRU cycle,
with a likely release date of Aug 27. Earlier access to the kernels
with the fix will be available from the -proposed pocket, though they
come with the risk of being less tested.
linux (4.4.0-36.55) xenial; urgency=low
[ Stefan Bader ]
* Release Tracking Bug
- LP: #1612305
* I2C touchpad does not work on AMD platform (LP: #1612006)
- SAUCE: pinctrl/amd: Remove the default de-bounce time
* CVE-2016-5696
- tcp: make challenge acks less predictable
-- Stefan Bader <stefan.bader@canonical.com> Thu, 11 Aug 2016 17:34:14 +0200
运行:
sudo apt-get update
sudo apt-get dist-upgrade
apt-cache policy linux-image-generic
echo 999999999 > /proc/sys/net/ipv4/tcp_challenge_ack_limit
- Ben Voigt