From 1625f2a11cbb88c4c6a508db309e24b1b0d49c59 Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Sat, 13 Aug 2016 17:15:10 +0200
Subject: [PATCH] Add workaround for CVE-2016-5696

Change-Id: Ie43c4e354b3c5aeea5b2cc65b9e0296c077148cf
---
 defaults/main.yml                            |  4 ++++
 doc/source/developer-notes/CVE-2016-5696.rst | 11 +++++++++++
 tasks/kernel.yml                             | 12 ++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 doc/source/developer-notes/CVE-2016-5696.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 17935ba5..2a29914c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -224,6 +224,10 @@ security_sysctl_tcp_syncookies: 1                 # V-38539
 # change.
 security_disable_ipv6: no                         # V-38546
 
+# Sets the global challenge ACK counter to a large value such
+# that a potential attacker could not reasonably come up against it.
+security_set_tcp_challenge_ack_limit: yes    # CVE-2016-5696
+
 ## Mail
 # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
 # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
diff --git a/doc/source/developer-notes/CVE-2016-5696.rst b/doc/source/developer-notes/CVE-2016-5696.rst
new file mode 100644
index 00000000..261fd668
--- /dev/null
+++ b/doc/source/developer-notes/CVE-2016-5696.rst
@@ -0,0 +1,11 @@
+This task in the security role will set the global challenge ACK counter
+to a large value to protect systems for a vulnerability in TCP stack
+implementation of the Linux kernel (`CVE-2016-5696`_).
+
+To opt-out of this change, adjust the following variable:
+
+.. code-block:: yaml
+
+    security_set_tcp_challenge_ack_limit: no
+
+.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
index 2d901c00..4e519f8a 100644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@@ -185,3 +185,15 @@
     - kernel
     - cat2
     - V-38524
+
+- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
+  sysctl:
+    name: net.ipv4.tcp_challenge_ack_limit
+    value: 1073741823
+    state: present
+    sysctl_set: yes
+  when: security_set_tcp_challenge_ack_limit | bool
+  tags:
+    - kernel
+    - cat3
+    - CVE-2016-5696