SA131 : TCP Session Hijacking in Operating Systems Supporting RFC 5961
- Status: Open
- Severity: Medium
- CVSS Base Score: CVSS v2: 4.3
Blue Coat products that include a vulnerable version of an operating system that supports RFC 5961 are susceptible to a TCP session hijacking vulnerability. A remote, off-path attacker can infer the sequence numbers of an existing TCP connection, and either reset the connection or inject arbitrary data.
The following products are vulnerable:
|Content Analysis System (CAS)|
|CVE-2016-5696||2.1 and later||Not vulnerable, fixed in 184.108.40.206|
|1.3||Upgrade to 220.127.116.11.|
|Mail Threat Defense (MTD)|
|CVE-2016-5696||1.1||Not available at this time|
|Malware Analysis Appliance (MAA)|
|CVE-2016-5696||4.2||Upgrade to 4.2.11.|
|Management Center (MC)|
|CVE-2016-5696||1.8 and later||Not vulnerable, fixed in 18.104.22.168|
|1.7||Upgrade to 22.214.171.124.|
|1.6||Upgrade to later release with fixes.|
|1.5||Upgrade to later release with fixes.|
|Norman Shark Industrial Control System Protection (ICSP)|
|CVE-2016-5696||5.4||Not vulnerable, fixed in 5.4.1|
|5.3||Not available at this time|
|Norman Shark Network Protection (NNP)|
|CVE-2016-5696||5.3||A fix will not be provided.|
|Norman Shark SCADA Protection (NSP)|
|CVE-2016-5696||5.3||A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.|
|PacketShaper (PS) S-Series|
|CVE-2016-5696||11.7 and later||Not vulnerable, fixed in 126.96.36.199|
|11.6||Upgrade to 188.8.131.52.|
|11.5||Not available at this time|
|11.4||Not available at this time|
|11.3||Not available at this time|
|11.2||Not available at this time|
|PolicyCenter (PC) S-Series|
|CVE-2016-5696||1.1||Upgrade to 184.108.40.206.|
|CVE-2016-5696||10.2 and later||Not vulnerable, fixed in 10.2.1.1.|
|10.1||Upgrade to 10.1.5.1.|
|CVE-2016-5696||7.3 and later||Not vulnerable, fixed in 7.3.1.|
|7.2||Upgrade to 7.2.2.|
|SSL Visibility (SSLV)|
|CVE-2016-5696||3.11 and later||Not vulnerable, fixed in 220.127.116.11|
|3.10||Not available at this time|
|3.9||Upgrade to 18.104.22.168.|
|3.8.4FC||Not available at this time|
The following products have a vulnerable version of an operating system that supports RFC 5961, but are not vulnerable to known vectors of attack:
|Advanced Secure Gateway (ASG)|
|CVE-2016-5696||6.7||Not vulnerable, fixed in 22.214.171.124|
|6.6||Upgrade to 126.96.36.199.|
The following products are not vulnerable:
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
ProxyAV ConLog and ConLogXP
Blue Coat no longer provides vulnerability information for the following products:
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
|Severity / CVSSv2||Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)|
|References||SecurityFocus: BID 91704 / NVD: CVE-2016-5696|
|Impact||Denial of service, unauthorized data modification|
|Description||A side channel flaw in TCP packet handling allows a remote attacker to send spoofed packets and hijack a TCP connection. The attacker can reset the connection or inject arbitrary data.|
This Security Advisory addresses TCP session hijacking vulnerabilities in operating systems that support RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks. RFC 5961 provides defenses against the following blind in-window attacks that affect the original TCP protocol specified in RFC 793 - Transmission Control Protocol:
According to RFC 793, TCP hosts that receive one of the packets above only need to verify that the packet's sequence number is within the target's receive window. An attacker can successfully perform these attacks if they can guess sequence numbers within the target's receive window. RFC 5961 tightens the sequence number checks as follows:
RFC 5961 specifies a challenge ACK throttling mechanism to control the rate of outgoing challenge ACK packets and prevent them from consuming the target host's CPU and bandwidth resources. The throttling mechanism uses a global, system-wide counter to control the rate of challenge ACK packets among all existing network connections on the system. The counter is configurable, but uses a well-known default value N.
Security researchers have discovered that the global challenge ACK counter exposes a side channel for inferring TCP sequence numbers and hijacking existing TCP connections:
After guessing the TCP connection's sequence numbers, the attacker can reset the connection or inject arbitrary data.
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous - http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks - https://tools.ietf.org/html/rfc5961
RFC 793 - Transmission Control Protocol - https://tools.ietf.org/html/rfc793
2019-09-21 SA 8.0 is not vulnerable. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 188.8.131.52.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-29 A fix for ASG 6.6 is available in 184.108.40.206.
2017-03-08 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. A fix for PolicyCenter S-Series is available in 220.127.116.11. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2017-01-24 A fix for CAS 1.3 is available in 18.104.22.168.
2017-01-13 A fix in SSLV 3.9 is available in 22.214.171.124.
2017-01-10 A fix for Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for MAA is available in 4.2.11.
2016-12-02 A fix is available in SSLV 126.96.36.199.
2016-12-02 PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.7 is vulnerable and a fix for MC 1.7 is available in 188.8.131.52.
2016-11-11 SSLV 3.10 is vulnerable. A fix is not available at this time.
2016-11-04 A fix for PacketShaper S-Series is available in 184.108.40.206.
2016-09-14 initial public release
2016-09-15 ASG has a vulnerable version of an operating system that supports RFC 5961, but is not vulnerable to known vectors of attack.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.