Linux TCP Flaw Allows Hackers to Modify Internet Traffic
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Linux TCP Flaw Allows Hackers to Modify Internet Traffic

Linux systems and Android have been vulnerable since 2012.

In early August, researchers at University of California, Riverside and the US Army Research Laboratory published their discovery of a vulnerability in a recent addition to TCP. They found that systems running the Linux operating system could easily be attacked due to this vulnerability.

The vulnerability allows an attacker to know if any two computers on the internet have an open TCP connection. If they do, the attacker can use that information to monitor, track, modify, or terminate the connection. If the connection is unencrypted (HTTP), the attacker can perform content injection.

TCP is part of the TCP/IP suite, the main communication protocol of the internet. Every time you visit a website, you are using TCP without even knowing it – the HTTP (or HTTPS) connection your browser makes with that site is operating on top of a TCP connection.

This vulnerability is significant because it can be executed by an off-path attacker. Being on or off the path refers to where the attacker’s computer is located relative to the targets. Being off-path means the attacker does not have to be directly involved in the connection or able to monitor the connection, often referred to as a “man in the middle.” An off-path attack can be executed by essentially anyone else on the internet.

This Linux TCP flaw does not have a formal name but is known as CVE-2016-5696, a unique identifier given to known vulnerabilities by the Common Vulnerabilities & Exposures (CVE) program.

Any vulnerability affecting TCP is quite severe simply due to how widely the protocol is used. This Linux TCP flaw is particularly  dangerous due to ease and speed of execution, and its high success rate. Luckily, this vulnerability can only affect systems that have implemented a more recent specification of TCP, known as RFC 5961, though the number of affected systems is still quite large.

RFC 5961 is a technical standard that was created to fix an unrelated security problem. “Unfortunately,” the researchers wrote, “one of the most recent specifications intended to improve security creates an even more serious vulnerability.”[1]

RFCs (Request for Comments) are documents produced by the IETF (Internet Engineering Task Force) that define technical standards. They are publicly posted to receive reviews from others in the community, where they are (hopefully) improved through successive drafts. A lot of technologies we are familiar with – like HTTP and SSL/TLS – are designed through this process.

Linux is the only major operating system known to implement this standard. The features of RFC 5961 were implemented in the Linux kernel in 2012 (in version 3.6), and the problems were fixed in early August in version 4.7. This also means that around 80% of Android devices are vulnerable because they are based on the Linux kernel.

Windows and Mac OS never implemented RFC 5961 and are therefore not vulnerable.

Executing The Attack

This vulnerability allows an attacker to learn if a TCP connection exists between two computers, reset or terminate said connection, and possibly perform content injection on that connection.

To execute the attack, all that’s needed is the IP address of both parties in the connection (the TCP connection also needs to stay open long enough to exploit the vulnerability). Only one party in the connection needs to be vulnerable. In this case, the most common target would be web servers running affected versions of Linux.

“Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.” The entire attack, on average, takes less than a minute to execute and has a success rate between 88 to 97%.[2]

Because the attack can work off-path, this can be an incredibly powerful tool because the attacker does not need to be in the privileged position of controlling part of the path of the connection.

In the worst case scenario, the attacker can inject content into the connection. This can be used to essentially take control of the connection and maliciously modify the page. The researchers demonstrated this in a connection to USA Today’s website in a video (which won’t look like much if you aren’t familiar with internet networking).

However, content injection cannot occur if the connection is secured with HTTPS. Encrypted connections are only vulnerable to identification and termination.

The researchers also warned that RFC 5961 is written in a way that may result in other developers making the same mistake. Zhiyun Qian told Ars Technica, “I want to say that the RFC is written in a way that if OSes implement it straightforwardly, it is going to be problematic.”[3]

Their paper, Off-Path TCP Exploits: Global Rate Limit Considered Dangerous”, was a finalist in the 2016 Internet Defense Prize, an award given to notable research in internet security, by Facebook and USENIX.

Patching The Linux TCP Flaw

All Linux kernel versions between 3.6 and 4.7 are affected. If you are running Linux, particularly if you are running a web server, you should see if your specific distribution is affected.

Since this research was published in early August, Many distributions including Debian, Fedora, and Ubuntu have released a patch.

If there is no official patch available, the researchers have also recommended a temporary patch which “simply raises the ‘challenge ACK limit’ to an extremely large value to make it practically impossible to exploit” this vulnerability:

Open /etc/sysctl.conf, append a command “net.ipv4.tcp_challenge_ack_limit = 999999999”.

Use “sysctl -p” to update the configuration. [4]

This Linux TCP flaw is a pretty big deal, but the good thing about serious vulnerabilities is that they get patched quickly, and hopefully we won’t see any more problematic implementations of RFC 5961.


[4] https://ucrtoday.ucr.edu/39030