Date: Tue, 12 Jul 2016 18:20:18 +1000 From: Wade Mealing <wmealing@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-5389: linux kernel - challange ack information leak. I've since been contacted by the researcher and have been told that CVE-2016-5696 was reserved by mitre for this issue. I'd like to withdraw the usage of this CVE number and use CVE-2016-5696. Sorry for any confusion. Wade Mealing On Tue, Jul 12, 2016 at 2:33 PM, Wade Mealing <wmealing@...hat.com> wrote: > Gday, > > Red Hat Product Security has been made aware of an important issue in > the Linux kernel's implementation of challenge ACKS as specified in > RFC 5961. An attacker which knows a connections client IP, server IP > and server port can abuse the challenge ACK mechanism > to determine the accuracy of a normally 'blind' attack on the client or server. > > Successful exploitation of this flaw could allow a remote attacker to > inject or control a TCP stream contents in a connection between a > Linux device and its connected client/server. > > * This does NOT mean that cryptographic information is exposed. > * This is not a Man in the Middle (MITM) attack. > > This was reported to Red Hat by Yue Cao, part of the Cyber Security > Group in the University of California > > Thanks, > > Wade Mealing > Red Hat Product Security Team > > Red Hat Bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=1354708 > > Patch: > > https://www.mail-archive.com/netdev@...r.kernel.org/msg118677.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ