All Linux kernels put out in the past four years affected

Aug 10, 2016 21:00 GMT  ·  By

CVE-2016-5696 is the ID of a serious security flaw that affects the TCP implementation in the Linux kernel, which, if exploited, allows an attacker to hijack unencrypted Web traffic, or crash encrypted communications such as HTTPS sessions or Tor connections.

The vulnerability affects all Linux kernel versions between v3.6 and up to v4.7 and existed in the Linux kernel for the past four years. At the heart of the problem is the design of the RFC 5961, a standard that dictates how TCP connections are established between two hosts.

TCP is the protocol at the heart of all Internet communications. HTTP, FTP, SSH, Telnet, DNS, SNMP, POP, and all other application level protocols stand on the shoulders of TCP.

Applications, including Web servers, use TCP to establish connections between hosts, and then reliably send data between them.

All TCP connections are established via the now classic TCP three-way handshake, a process in which the two hosts exchanged three types of TCP packets in a certain order: SYN -> SYN-ACK -> ACK. After a secure connection is established, TCP packets are sent in order between the two hosts.

Problem resides in RFC 5961 implementation in Linux kernel

For its part, the Linux project has implemented RFC 5961 better than anyone else, and that's why Linux-based servers are undeniably the best in the business.

A team of six researchers from the University of California, Riverside, and the US Army Research Laboratory have discovered a problem in the way the RFC 5961 standard has been implemented in the Linux kernel.

The researchers created a proof of concept exploit that they can use to detect if two hosts are communicating via TCP.

The first part of the attack only takes around 10 seconds and allows the attacker to accurately guess the TCP packet sequence numbers currently exchanged between the two hosts.

Attacker doesn't need MitM position

The attacker does not need a man-in-the-middle position, meaning the packets exchanged between the two parties don't necessarily have to go through a server under his control.

No MitM position is needed to carry out the attack
No MitM position is needed to carry out the attack

Since an IP address can be spoofed, an attacker could intervene in the connections and inject malicious TCP packets inside the legitimate TCP packet sequence.

The paper titled Off-Path TCP Exploits: Global Rate Limit Considered Dangerous presents a case study where the six researchers injected a phishing form inside the USA Today website.

The researchers used their exploit to see if the IP of a known person was communicating with the IP of the USA Today (Linux) Web server.

"Through extensive experiments, we show that the attack is fast and reliable," the research team explains. "On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%."

TCP flaw is ideal for DoS-ing the TOR network

Injecting rogue content in a TCP connection via this method shows once again why supporting HTTPS is so important. CVE-2016-5696 can also be used to create a Denial of Service (DoS) state for encrypted services such as SSH and Tor.

Using this flaw to crash Tor connections may force some users to resort to less secure communication tools.

In their paper, researchers propose some changes in TCP's global rate limit to reduce the attack's reach, but also warn that other operating systems may also be affected. In essence, it depends on how much the OS makers stuck to RFC 5961 when adding TCP support in their OS.

Photo Gallery (2 Images)

TCP flaw in Linux kernel opens the door for Web traffic hijacking
No MitM position is needed to carry out the attack
Open gallery