agsandrew - Fotolia
A Linux vulnerability present in 80% of Android devices reportedly enabled attackers to identify hosts communicating over TCP, and to attack traffic or terminate connections. Attackers can also conduct remote code execution if a WebKit or browser-related bug is chained with the Linux vulnerability. How serious is this widespread vulnerability, and what can be done to mitigate possible attacks?
The Off-Path TCP Exploit was discovered by researchers from the University of California, Riverside and the U.S. Army Research Laboratory. This Linux vulnerability has been present in systems since version 3.6 of the kernel, which was released in 2012. When the issue was publicly disclosed during the 2016 USENIX Security Symposium, around eight out of every 10 Android devices were found to be affected, along with other devices running affected versions of Linux, such as web servers, desktops and smart TVs.
Ironically, the flaw was introduced when Linux implemented the TCP/IP networking standard, "RFC 5961: Improving TCP's Robustness to Blind In-Window Attacks," published in 2010. This standard made small modifications to the way TCP handled inbound segments to block spoofed packet injection attacks.
To successfully insert data into a connection, an attacker needs to know the two IP addresses and the source and destination ports, plus the next valid serial numbers of the exchanged packets. RFC 5961 introduced challenge ACK packets to ensure that no one could forcibly insert themselves into a valid connection. The Linux vulnerability arose because the OS rate limits the output of these challenge ACKs.
This means that once an attacker has the source and destination IP addresses and ports in a connection between a server and a client, they can send the server spoofed packets, prompting it to keep sending challenge ACKs to the client until the server hits its limit and temporarily stops sending them. This gives the attacker the opportunity to infer the TCP sequence numbers in use, allowing him to break the connection or perform data injection attacks. The researchers who discovered the flaw have posted a video showing an attack in progress and the HTTP traffic being hijacked.
It's not just the number of devices affected that makes this vulnerability a concern, but that it is practical and within the capabilities of many hackers, as no user interaction, such as downloading malware, is required by the victim. The attacker doesn't need to create a man-in-the-middle position on the network to exploit the flaw either -- in fact, an attack can be launched from anywhere in the world where a machine is on a network that allows for IP spoofing.
According to the researchers, the attack can be executed in less than a minute, and it has a 90% success rate, which has serious implications for the security and privacy of the entire internet. Although encrypted connections are immune to data injection, the connections can still be forcefully terminated by an attacker. The researchers showed how the flaw (CVE-2016-5696) can be exploited to break SSH connections and to tamper with encrypted communications traveling over the Tor anonymity network. If an attacker manages to combine this attack with a WebKit or browser-related bug, the consequences could be even more dangerous.
Patches for the Linux vulnerability have been developed for the current kernel, and system administrators should install them as soon as possible. A temporary solution that can be applied to affected systems is to raise the challenge ACK limit to a very large value, such as 999999999, which makes it practically impossible to exploit this side channel attack. For Ubuntu Linux, it's a case of opening the /etc/sysctl.conf configuration file and adding or amending the line:
net.ipv4.tcp_challenge_ack_limit = 999999999
Other operating systems, such as Windows, Mac OS X and FreeBSD, are immune to this new attack vector because they have not yet fully implemented RFC 5961, while devices that use IPv6 networking, such as most Verizon 4G Android smartphones, are theoretically harder to attack due to the vast IPv6 address space.
Find out how to spot Linux vulnerabilities in your system
Learn about the different TCP port scanning techniques your enterprise can use
Read about the Dirty COW Linux vulnerability that has been around for years
Dig Deeper on Alternative operating system security
Related Q&A from Michael Cobb
A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this ... Continue Reading
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb ... Continue Reading
Android P integrates Android Protected Confirmation, which provides sufficient trust in the authentication process. Learn more about this new feature... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.