Linux TCP Exploit Allows Web Traffic Hijacking And Dangerous Remote Code Injection

Today's a bad day security. First it was discovered that Microsoft accidentally leaked what amounts to a golden key for Secure Boot system, and now we find out there's a rather serious vulnerability in the TCP implementation in all Linux systems since version 3.6 of the Linux kernel was deployed four years ago. Is anyone safe?

As it pertains to Linux, if exploited the vulnerability could allow attackers to sniff out hosts that are communicating over the protocol and hijack the traffic. And according to the researchers at the University of California, Riverside and the U.S. Army Research Laboratory who discovered the vulnerability, attackers don't even need to be in the traffic stream, otherwise known as man-in-middle attacks, to exploit it.

Penguin

"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain," said Zhiyun Qian, an assistant computer science professor at the university and project advisor.

This is a widespread vulnerability that could affect scores of Linux devices, including everything from embedded systems to mobile phones and more. Just as scary is that the attack can be carried out fairly quick—it took less than a minute in the researchers' experiments, and they were successful in their attempts around nine out of 10 times.

As explained by the researchers, the vulnerability allows an off-path attacker to infer if a pair of arbitrary hosts on the Internet are communicating using TCP. If there's a connection, the attacker can also infer the TCP sequence numbers from both sides of the connection, and then either terminate the connection or perform data injection attacks.

"We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server," the researchers wrote. "This can have serious implications on the security and privacy of the Internet at large."

On the bright side, patches for the vulnerability have already been developed for the current Linux kernel.
Tags:  Linux, security, TCP