[tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Jason Ross
algorythm at gmail.com
Thu Nov 17 17:02:05 UTC 2016
Hi David,
Thanks for the heads up! It turns out that my relay is in the list of
affected hosts, however, the kernel I was running (3.16.36-1+deb8u1)
is claimed by Debian to be fixed (see:
https://security-tracker.debian.org/tracker/CVE-2016-5696).
Since your script determines whether the host is affected or not based
on the actual TCP comms (rather than banner grabbing a kernel version
or something), I'm not sure what to make of that - it would seem to
indicate that either the weighting you've devised doesn't fit Debian
hosts, or it could indicate perhaps that the patch Debian maintainers
applied to address the issue wasn't sufficient. I won't pretend to be
clueful enough about low-level TCP stack programming to be able to
tell for sure which is the case, but wanted to mention it in case
others see the same thing.
For my part, I've since updated the kernel on my relay to
3.16.36-1+deb8u2, and applied the sysctl work-around as an additional
measure.
I checked the ACK count using netstat both before and after, and have
included those results here:
Before:
TCPChallengeACK: 1107
TCPSYNChallenge: 7
After:
TCPChallengeACK: 2
TCPSYNChallenge: 2
Thanks!
--
Jason
On Thu, Nov 17, 2016 at 2:30 AM, dawuud <dawuud at riseup.net> wrote:
>
> Hi.
>
> I added the scan output to the repo, this includes the output csv file
> and a list of vulnerable relays:
>
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
>
>
> Upgrade your Linux kernel and reboot your tor relays!
>
> Cheers,
> David
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
More information about the tor-relays
mailing list