I've found this on isssource and am surprised that it has not spread like wildfire. If the claims are true then this is an issue that should be taken seriously. Posting here for discussion.
So far it looks pretty real. CVE exists[0], been picked up by RedHat[1].
It's possible that they're wrong - I haven't personally verified it - but at this point it'd be very surprising. Apart from anything else, these are serious researchers with real track records.
I'm proceeding on the assumption that it's real, and working towards ensuring everything (with a kernel >= 3.6 and < 4.7) is patched. I'd humbly suggest it might be a good idea for others to do so also.
They do not explain the origin of the attack, instead simply mention "a subtle flaw (in the form of 'side channels')" [sic]. They do not explain why their "temporary patch" [sic] of raising the challenge ack limit makes the vuln "practically impossible to exploit".
Hell, they do not even link to the original paper.
I skimmed over the paper and that is pretty scary stuff. Just being able to infer that two arbitrary hosts are communicating with each other is bad enough but this seems to allow for arbitrary data injection and connection reset attacks.
I'm proceeding on the assumption that it's real, and working towards ensuring everything (with a kernel >= 3.6 and < 4.7) is patched. I'd humbly suggest it might be a good idea for others to do so also.
0: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696 1: https://access.redhat.com/security/cve/cve-2016-5696