Linux TCP flaw allows hackers to hijack internet traffic

[ASTRAPI]

Researchers have discovered a serious security vulnerability in the Transmission Control Protocol (TCP) used by Linux since late 2012 that allows attackers to compromise users' internet communications remotely.

According to a research study published by researchers from the University of California, Riverside, the flaw could potentially be used by threat actors to "launch targeted attacks that track users' online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor."

Although most internet users do not use Linux directly, the software does run on internet servers, Android phones and various other devices behind-the-scenes.

TCP is used by Linux and other operating systems together with Internet Protocol (IP) to transfer information from one place to another by packaging and sending data across to its rightful destination. When you hit the send button to shoot an email to a friend, for example, TCP assembles your message into a series of data packers that are then transmitted over, received and then reassembled again to show the original message.

However, researchers have found a subtle but critical flaw (CVE-2016-5696) that uses "side channels" in all Linux kernel versions 3.6 and beyond that allows a malicious attacker to infer a connection's TCP sequence numbers using just the IP addresses of the two parties. A attacker can then remotely eavesdrop on the users' communication, track their online activity, inject malicious material into the communication or even terminate the connection altogether.

Despite being immune to data injection, encrypted connections such as HTTPS can also be forcefully shut down by an attacker as well. Anonymity networks such as Tor can be compromised as well by pushing a connection to route through certain delays.

"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out," said project adviser and assistant professor of computer science at UCR Zhiyun Qian in a statement. "Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain."

The researchers posted a short YouTube video demonstrating how the attacks work as well:

They also noted that the attack, which has about 90% success rate, is quick, reliable and often takes less than a minute to carry out.

"We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server," the researchers wrote in an accompanying paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.' "This can have serious implications on the security and privacy of the Internet at large."

Linux has already been informed about the vulnerability and the latest version of Linux has been patched, researchers said.

 

Here's How to Mitigate TCP Attack:

While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.

For this, you are required to append the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

Once done, use sysctl -p to activate the new rule. You need to perform root to do this.

The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.

[CheersnGears]

Do we know which kernel version has the patch?

 

[ASTRAPI]

Red Hat release a kernel patch for it 2 days ago  for Centos 7 and Centos 6 will follow soon:

https://rhn.redhat.com/errata/RHSA-2016-1633.html

Now you can update the kernel and reboot server and after that you can remove the temporary fix