In response to the recently discovered “Shared Challenge ACK” vulnerability, Verimatrix has determined that customers who use Linux kernels in VCAS version 3.6 and higher are susceptible to this vulnerability. Customers who use Linux ports of the ViewRight STB client and /or the Android version of ViewRight Web For Android are also susceptible and should look for updates from their respective device manufactures. For our customers using ViewRight STB clients we are investigating if there is impact and if this is the case we will inform you about follow up steps.
What does this mean?
The Shared Challenge ACK is a flaw in the Linux kernels TCP/IP networking subsystem implementation. Due to this flaw attackers could allow to enter arbitrary codes into unsecured TCP connections. If you are using Linux kernels in VCAS version 3.6 and higher, your system is susceptible to this vulnerability.
Advice of Divitel
We recommend to use the present workaround until a patch from Red Hat is available. This patch of Red Hat will be part of future VCAS server Kickstart ISO releases. Operators can implement the workaround by following a configuration change: By setting net.ipv4.tcp_challenge_ack_limit to an arbitrary high value it is possible to effectively disable challenge ACK rate limiting.
When you want to receive further information on this configuration please contact us.
Detailed information about the vulnerability can be found here:
Please feel free to contact your Divitel representative for clarification or additional questions.
Support: +31 (0)55 750 48 88
Reception: +31 (0)55 576 02 42
<em>Found useful information in this article?</em>