Friday, August 12, 2016

Security Notification: Off-Path TCP Linux Kernel Vulnerability (CVE-2016-5696)

[UPDATE: 2016-08-22]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

[UPDATE: 2016-08-18]

All the affected cloud images and virtual machines have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images. 

[UPDATE: 2016-08-17]

The Bitnami Team is happy to announce that the images of Google, Azure, 1&1 and GoDaddy have been updated properly. Additionally, we continue working on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

----

A new security vulnerability in the linux kernel has been discovered. You can find out more information about it in the following research report: "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous".

Since the Linux kernel code affected was implemented in 2012 (in Linux Kernel 3.6), all Bitnami-packaged images might be affected by this issue if the kernel hasn't been updated. At the time of writing this post, a new patched kernel has NOT been released for Debian and Ubuntu distributions that are the base OS for most of the Bitnami Virtual Machines. We will keep you updated in this blog post.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. 

In the meantime, you can mitigate this problem by applying the following patch in your system:
sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q tcp_challenge_ack_limit /etc/sysctl.conf || echo "net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.conf
Please, note that this is just a temporary solution that makes it a lot harder for attackers to succeed in exploiting this vulnerability. You can find more information about this temporary fix in a writeup on the Akamai blog.

Once the new kernel is available, you can update it by running the following commands (you must run the command specific to your distribution):


  • Ubuntu 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Debian 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Oracle Linux 
sudo yum update
sudo yum upgrade
You will have the fixed version of the kernel after rebooting your server.


  • Amazon Linux & RedHat Linux
sudo yum clean all
sudo yum update kernel
You will have the fixed version of the kernel after rebooting your server. 


If you have any questions about this process, please post to our community support forum and we will be happy to help! 

6 comments:

  1. Hi. I have a wordpress image (4.5.3) on Google Cloud Instance. Its just not updating to 4.6 // Is it because the patch is not available or is it some other issue?

    ReplyDelete
    Replies
    1. Hi Karan,

      Looks like a different issue- you should be able to update your instance through the Wordpress admin panel. If you're having trouble, our engineers would be glad to help on our community page at https://community.bitnami.com. Just create a new topic describing your issue and they'll give you a hand!

      Thanks,
      Brad

      Delete
  2. I have a google cloud image installation an performed the Debian sudo apt-get update && sudo apt-get dist-upgrade as suggested in this article. Upgrade failed complaining about a "Stackdriver" API key

    ReplyDelete
    Replies
    1. Hi Doug,

      Sorry to hear you're having trouble and we appreciate the feedback. Reach out to our community forums (https://community.bitnami.com/) and we'll do our best to find a solution for you.

      Best,
      Mavian

      Delete
    2. You can find your API key here: https://app.google.stackdriver.com/settings/accounts/agent/

      Delete
  3. I have followed the update procedure as mentioned for Debian Kernel. But I miss the check if everything is succesfull.
    For instance what kernel should I have now ? I found out that with the command uname -r I can find the version of the kernel, but not what I should have minimal.

    ReplyDelete

Please use our community forum if you have any questions community.bitnami.com