Linux TCP flaw lets ‘anyone’ hijack Internet traffic
August 15, 2016
Seid Yassin (557 articles)

Linux TCP flaw lets ‘anyone’ hijack Internet traffic

Some days you can’t win for losing. In 2012, Linux implemented a new TCP/IP networking standard, RFC 5961, Improving TCP’s Robustness to Blind In-Window Attacks, to improve security.

In the process, they opened up a heretofore unknown security hole. Ironically, other operating systems that lagged in implementing this new “security” mechanism — such as FreeBSD, macOS, and Windows — are immune to this new attack vector.

This is potentially a big deal, because it can be used to break or even hijack internet connections between Linux and Android systems. So, for example, if an Android smartphone is connected to USA Today, the connection could be interrupted. The same attack, however, would fail if it were made on a link between a Windows PC and USA Today.

The problem exists in any operating system running Linux kernel 3.6 or newer. Linux 3.6 was introduced in 2012. The vulnerability allows an attacker from anywhere on the internet to search for connections between a client and a server. Once such a network connection is found, the attacker can invade it, cause connection termination, and perform data injection attacks.

How bad is it? The discoverers say the attack is fast and reliable, takes less than a minute, and works about 90 percent of the time.

According to University of California at Riverside (UCR) researchers, the Linux TCP/IP security hole can be used by attackers in a variety of ways: hackers can remotely hijack users’ internet communications, launch targeted attacks that track users’ online activity, forcibly terminate a communication, hijack a conversation between hosts, or degrade the privacy guarantee of anonymity networks such as Tor.
“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” said Zhiyun Qian, an UCR assistant professor of computer science. “Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses for victim client and server, which is fairly easy to obtain.”

Adding insult to injury, Qian added, “Unlike conventional cyber attacks, users could become victims without doing anything wrong, such as downloading malware or clicking on a link in a phishing email.”

Worse still, the attack vector can be used even against secure connections. While this doesn’t give an attacker the ability to read the encrypted data, it can be used to break a connection or to track who is talking to whom. Against Tor and other anonymizers, an attacker could reset a network connection to force a connection to route through an already hacked relay.

The good news — and, yes, there is good news — is it’s easy to fix. First, Linux itself is being patched to stop the attack vector in its track. Next, you simply raise the ‘challenge ACK limit’ to an extremely large value to make it practically impossible to exploit the side channel problem that enabled the attack to work.

On the Ubuntu Linux family, for instance, you can fix it with the following steps:

Open /etc/sysctl.conf, with an editor, such as vim.
Enter the line: net.ipv4.tcp_challenge_ack_limit = 999999999
Save the file.
Use the shell command “sysctl -p” to update the configuration.
And, just like that, your system — any connections to it — can no longer be attacked.

One other bit of good news is it appears the attack works best against systems using IPv4 networking. Devices that use IPv6 networking, such as most Verizon 4G Android smartphones, are harder to attack due to the vast IPv6 address space.

That said, simply using IPv6 doesn’t make you immune, as Quin explained in an email: “The attack is against a flaw in TCP (not IP); therefore, it works both against IPv4 or IPv6. Basically, given any two IP addresses (either IPv4 or IPv6), our attack can test if they have a communication. If so, we can further terminate or inject malicious payload into the connection.”
Source | zdnet