Recently a GNU/Linux TCP vulnerability was disclosed (CVE-2016-5696) by security researchers in the US. Upon analysis, this bug did not pose a threat to our users. Nevertheless, we have already taken supplementary measures in the last week to further harden Mailfence’s servers.
GNU/Linux TCP Vulnerability
The vulnerability which was discovered has been present in the GNU/Linux kernel since 2012. It requires an attacker to have the IP addresses of both the client and the server. Due to a rate limit enforced by GNU/Linux kernel on TCP challenge ACK packets, it is possible to hijack the TCP connection between the client and the server. This can (for example) allow an attacker to inject malicious code/data into the communication HTTP (web) stream.
This vulnerability can be exploited without needing to have man-in-the-middle (MiTM) capabilities. Thus, the attack can also be performed “off-path” without the ability to eavesdrop on the network between client and server. This significantly reduces the difficulty of the attack. Additional details can be found in this original research paper.
Protecting our users
While this vulnerability can sound severe, its impact is limited in practice for users connected to our servers. At worst, arbitrary TCP connections could theoretically be closed and no hijacking could take place, because of the use of TLS encryption. For Web sessions in particular, our HSTS policy ensures that HTTPS (instead of HTTP) will be used right from the start.
Moreover, to further protect our users from this DoS-like possibility, our security team has already taken the necessary measures, without waiting for the new kernel packages to be released.
– Mailfence Team