The last stable release of the kernel, version 4.6.6, was on 10 August.
The flaw was discovered by researchers at the University of California, Riverside, and does not require anyone to be using Linux to be vulnerable as a large proportion of Internet servers run the operating system. It was publicised on 9 August in the US.
Data is broken up into packets for transmission on the Internet and the sequence numbers of these packets can be used by malicious attackers to track users' online activity, terminate connections with others and inject material into their communications.
|
The UCR researchers found a vulnerability, or a side channel as they dubbed it, in the TCP stack used by Linux which allows attackers to guess the sequence numbers if they know the IP address of two parties communicating with each other.
The patch increases the rate of challenge acknowledgement signals from 100 to 1000. It also adds randomisation so that an attacker will need to undertake a large number of probes before he/she can hijack sessions.
In the interim, one fix recommended by California-based sysadmin Rick Moen is to use sysctl to increase the setting in /proc/sys/net/ipv4/tcp_challenge_ack_limit to 999999999.