[tor-relays] network scan results for CVE-2016-5696 / rfc 5961

dawuud dawuud at riseup.net
Fri Nov 18 00:21:28 UTC 2016


Hi Jason,

Thanks for your observation. I'll try to investigate soon.

Cheers,

David

On Thu, Nov 17, 2016 at 12:02:05PM -0500, Jason Ross wrote:
> Hi David,
> Thanks for the heads up! It turns out that my relay is in the list of
> affected hosts, however, the kernel I was running (3.16.36-1+deb8u1)
> is claimed by Debian to be fixed (see:
> https://security-tracker.debian.org/tracker/CVE-2016-5696).
> 
> Since your script determines whether the host is affected or not based
> on the actual TCP comms (rather than banner grabbing a kernel version
> or something), I'm not sure what to make of that - it would seem to
> indicate that either the weighting you've devised doesn't fit Debian
> hosts, or it could indicate perhaps that the patch Debian maintainers
> applied to address the issue wasn't sufficient. I won't pretend to be
> clueful enough about low-level TCP stack programming to be able to
> tell for sure which is the case, but wanted to mention it in case
> others see the same thing.
> 
> For my part, I've since updated the kernel on my relay to
> 3.16.36-1+deb8u2, and applied the sysctl work-around as an additional
> measure.
> I checked the ACK count using netstat both before and after, and have
> included those results here:
> 
> Before:
> TCPChallengeACK: 1107
> TCPSYNChallenge: 7
> 
> After:
> TCPChallengeACK: 2
> TCPSYNChallenge: 2
> 
> 
> Thanks!
> 
> --
> Jason
> 
> On Thu, Nov 17, 2016 at 2:30 AM, dawuud <dawuud at riseup.net> wrote:
> >
> > Hi.
> >
> > I added the scan output to the repo, this includes the output csv file
> > and a list of vulnerable relays:
> >
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> >
> >
> > Upgrade your Linux kernel and reboot your tor relays!
> >
> > Cheers,
> > David
> >
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161118/94c77b03/attachment.sig>


More information about the tor-relays mailing list