Protect against vulnerability CVE-2016-5696 in CentOS 6.8

This guide on how to protect against Off-path TCP vulnerability CVE-2016-5696 in a CentOS 6.8 machine.

Run the following command to check the kernel version that your box is running:

uname -r

Run the following to verify your Centos version details:

cat /etc/redhat-release

Below is a screenshot for the outputs for the above commands from my CentOS 6.8 box.

release information screenshot CentOS 6.8

Workaround against the attack:

Open your sysctl.conf file:

vi /etc/sysctl.conf

edit config file command CentOS 6.8

Below is a screenshot of my default sysctl.conf file which does not contain “net.ipv4.tcp_challenge_ack_limit”.

default sysctl.conf in CentOS 6.8

Now add the following line at the end of the config file:

net.ipv4.tcp_challenge_ack_limit = 999999999

Below is a screenshot after editing the config file.

edited-config-file screenshot in CentOS 6.8

Save and exit the file. (Press ESC and then type :wq and hit Enter in your keyboard).

Use the command below to verify if the value of net.ipv4.tcp_challenge_ack_limit is 999999999.

sysctl -p

sysctl -p in CentOS 6.8

If you are able to see the line in the above screenshot, this means that it will make the exploit extremely hard to perform (practically impossible). The above is a workaround to mitigating the Off-Path TCP attack in a CentOS 6.8 machine and will also work for redhat 6.8.

The Fix:

If you are not looking for the workaround but for a permanent fix, then you can upgrade your Linux kernel to 4.6 or above.

If this article helped you, do leave a comment below and like us on Twitter and Facebook. Cheers!

Source: Bobcares

References: Redhat Portal, Redhat Shared Ack Vulnerability