On 08th August, 2016, a flow has been discovered in the Linux kernel's TCP/IP implementation of the challenge ACK rate limiting (RFC 5961). An attacker located on different subnet could inject malicious data, or take over unsecured TCP connections.
This flow affects most of linux kernels from version 3.6 to 4.6.
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.
This issue affects most of DenyAll products :
- i-Suite LTS 5.5.X
- DenyAll WAF 6.X
rWeb and DAOS products are not impacted.
Next released versions of i-Suite LTS and DenyAll WAF will contain the kernel fix but today as a workaround, you can raise the ACK rate limit to an arbitrary high value that will make the vulnerability more difficult to exploit.
The ACK rate limit can be raised with the sysctl option "net.ipv4.tcp_challenge_ack_limit". Use the following CPT to mitigate this issue :
Installation procedure on i-Suite and DenyAll WAF :
- Go to the i-Boxes panel (Setup > i-Boxes).
- Select an i-Box and click right on it.
- Select Support Debug Script in Utils menu.
- Upload the CPT then OK.
- Repeat previous steps for each i-Box.
- In i-Suite 5.5.X, if you are using Sysctl profiles, open the Modify window and click OK. Repeat this for each i-Box.
- In DenyAll WAF 6.X, run an apply on each i-Box.