Serious Linux design flaw CVE-2016-569 allows Traffic Hijacking

A severe design flaw in the Linux kernel could be exploited by attackers to hijack traffic, inject malware into connections, and run a wide range of attacks.

A severe flaw in the Linux kernel could be exploited by attackers to hijack traffic, inject malware into downloads and web pages, and run a wide range of attacks, break Tor connections.

“In general, we believe that a DoS attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide,” the team wrote in a white paper .

The flaw is widespread, vulnerable Linux distros are everywhere, in PC, servers, mobile devices and IoT devices.

The serious flaw (CVE-2016-5696) exists since version 3.6, deployed in 2012. It was discovered by researchers from the University of California, Riverside, and the U.S. Army Research Laboratory that present their findings at USENIX Security Symposium. The study is detailed in a paper titled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous,” that also includes recommendations on how to mitigate the issue.

The TCP/IP networking flaw allows attackers to spot communications between two entities and can be exploited to hijack the traffic and manipulate it if the exchange is not encrypted.

The attack is not considerable a man-in-the-middle attack, the attackers just need to send spoofed packets to both sides of the connection by simply knowing their IP addresses and destination ports.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” explained Zhiyun Qian project leader.

“Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain.”

Giving a close look at the RFC 5961 we can note that it addresses spoofed packet injection attacks by introducing challenge ACK packets.

The researchers exploited the feature that Linux rate limits the output of these challenge ACKs.

The attacker can send malicious packets to confuse to the server, that in turn sends challenge ACKs to the client until it reaches its limit and temporarily stops sending them. In this phase, the attacker can turn to the client and send spoofed IP packets to break the connection or to substitute the silenced server in the connection.

“The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets.” explained the researchers.

“Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection. To demonstrate the impact, we perform case studies on a wide range of applications.

The basic idea is to repeat the following steps: 1) send spoofed packets to the connection under test (with a specific four-tuple), 2) create contention on the global challenge ACK rate limit, ie, by creating a regular connection from the attacker to the server and intentionally triggering the maximum allowed challenge ACKs per second, and 3) count the actual number of challenge ACKs received on that connection. If this number is less than the system limit, some challenge ACKs must have been sent over the connection under test, as responses to the spoofed packets.”

Waiting for a patch, users can raise the rate limit for the challenge ACK packets so that it cannot be reached, it can be done by modifying the rule it in the /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

then execute sysctl -p to activate it and root the machine.

Tha attack could be also effective on encrypted communication, but just to break them. The researchers also added that Windows, OS X and FreeBSD aren’t vulnerable because partially implemented the RFC 5961.

Below a video PoC of the attack:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux, Traffic Hijacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.