CVE-2016-5696

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.7 PAN-OS versions 6.1, 7.0.15 and earlier, 7.1.9 and earlier

Description The issue is related to the improper determination of the rate of challenge ACK segments in the Linux kernel and PAN-OS, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack. This allows potential attackers to RST valid connections, as well as inject data on unencrypted connections. An off-path attacker may also be able to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. Successful exploitation of this issue may allow an attacker to terminate a TCP connection or inject a payload into non-secured TCP connection between two endpoints on the network.

Recommendations For Linux kernel versions prior to 4.7, update to version 4.7 or later to resolve the issue. For PAN-OS versions 6.1, 7.0.15 and earlier, update to a version later than 7.0.15. For PAN-OS versions 7.1.9 and earlier, update to a version later than 7.1.9. As a temporary workaround, consider restricting access to sensitive data transmitted over TCP connections until the issue is resolved.