Reset Search
 

 

Article

VN 2016 008 (CVE-2016-5696)

« Go Back

Vulnerability Notice

 
Vulnerability Summary
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.

Background (From CVE Project)
CVE-2016-5696
   Release Date:  August 6, 2016
   CVSS v3 base score:  5.9

Impact 
Allows unauthorized disclosure of information
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOS (all products)No 
A, B, C, D, G, I and 800 Series Fixed SwitchesNo
IDS/IPS Yes
ExtremeWireless (IdentiFi)No
Extreme CloudNo
N, K, SSA, and S Modular SwitchesNo
Extreme Management (Netsight)Yes
Extreme Control (NAC)Yes
Extreme Analytics (Purview)Yes
Ridgeline Investigating
Security Information & Event ManagerInvestigating 
Summit WM3000 SeriesNo
X-Series Secure Core Router Investigating 
XSR (X-Pedition Security Router)No
Impact Details
ExtremeXOS (all products)
  • Vulnerable Yes / No: No  (All EXOS 15.x, 16.x, 21.x are using Linux Kernel 2.6.28 which is not vulnerable. EXOS 22.x will use Linux Kernel 3.18 with a patch for CVE-2016-5696)
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
A, B, C, D, G, I and 800 Series Fixed Switches
  • Vulnerable Yes / No: No,  Linux OS is not used
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
IDS/IPS
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: Appliance Image
  • Describe conditions when component Vulnerability occurs(why/when/how): At any time, attacker could hijack active top session, causing denial of service.
  • Product version(s) affected: All
  • Workaround: None
  • Target Fix Release: tbd
  • Target Month for Fix Release: tbd
ExtremeWireless (IdentiFi)​
Extreme Networks Wireless Controllers:
  • Vulnerable Yes / No: No (not running vulnerable Kernel version)
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)​
Extreme Networks Wireless 36xx, 37xx, 38xx, and 39xx series APs
  • Vulnerable Yes/ No: No (not running vulnerable Kernel version)
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
ExtremeCloud
  • Vulnerable Yes/ No: No  (although ExtremeCloud runs vulnerable versions of the Linux kernel, the only protocols exchanged between ExtremeCloud and the Internet are TLS or SSH based. According to "Off-Path TCP Exploits" which describes the vulnerability, the use of TLS or SSH completely mitigates the attack.
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
N, K, SSA, and S Modular Switches
  • Vulnerable Yes / No: No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Extreme Management (NetSight)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  Linux Kernel 4.4.0.83 (All Kernel Versions 3.6 to 4.6)
  • Describe conditions when component Vulnerability occurs(why/when/how):    Challenge packets were introduced in linux kernel 3.6 to prevent spoofed packet injection attacks. The challenge ack requirs knowing both ip addresses and source and destination ports known as a four-tuple. The thought was to introduce these packets to ensure that no one can jump in the middle of a valid connection. If the attacker correctly inferred the source and destination ports and found the correct IP addresses, they could send these packets until the server hits its challenge ack limit. Once this limit is hit, the server stops sending challenge ack packets. The attacker could then inject anything  without intervention from the server.
  • Product version(s) affected:   7.1, 8.0.x 
  • Workaround:  Add a high challenge ack limit value in the sysctl.conf
  • Target Fix Release:   8.0.3
Extreme Control (NAC)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  Linux Kernel 4.4.0.83 (All Kernel Versions 3.6 to 4.6)
  • Describe conditions when component Vulnerability occurs(why/when/how):     Challenge packets were introduced in linux kernel 3.6 to prevent spoofed packet injection attacks. The challenge ack requires knowing both ip addresses and source and destination ports known as a four-tuple. The thought was to introduce these packets to ensure that no one can jump in the middle of a valid connection. If the attacker correctly inferred the source and destination ports and found the correct IP addresses, they could send these packets until the server hits its challenge ack limit. Once this limit is hit, the server stops sending challenge ack packets. The attacker could then inject anything  without intervention from the server.
  • Product version(s) affected:   7.1, 8.0.x
  • Workaround:  Add a high challenge ack limit value in the sysctl.conf 
  • Target Fix Release:   8.0.3
Extreme Analytics (Purview)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  Linux Kernel 4.4.0.83 (All Kernel Versions 3.6 to 4.6)
  • Describe conditions when component Vulnerability occurs(why/when/how):  Challenge packets were introduced in linux kernel 3.6 to prevent spoofed packet injection attacks. The challenge ack requirs knowing both ip addresses and source and destination ports known as a four-tuple. The thought was to introduce these packets to ensure that no one can jump in the middle of a valid connection. If the attacker correctly inferred the source and destination ports and found the correct IP addresses, they could send these packets until the server hits its challenge ack limit. Once this limit is hit, the server stops sending challenge ack packets. The attacker could then inject anything  without intervention from the server.
  • Product version(s) affected:  7.1, 8.0.x
  • Workaround:  Add a high challenge ack limit value in the sysctl.conf
  • Target Fix Release:   8.0.3
Ridgeline
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Security Information & Event Manager
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Summit WM3000 Series
  • Vulnerable Yes / No: No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
X-Series Secure Core Router
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
XSR (X-Pedition Security Router)
  • Vulnerable Yes / No: No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how): Not application to XSR as it does not use Linux
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network. Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above.

Firmware and software can be downloaded from www.extremenetworks.com/support.
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255