Serious TCP Bug in Linux Systems Allows Traffic Hijacking

A serious vulnerability in the TCP implementation in Linux systems deployed since 2012 (version 3.6 of the Linux kernel) can be used by attackers to identify hosts communicating over the protocol and ultimately attack that traffic.

Researchers from the University of California, Riverside and the U.S. Army Research Laboratory are expected today at the USENIX Security Symposium deliver their paper, “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous,” that explains the vulnerability and recommendations on how to mitigate it.

Patches for the vulnerability have been developed for the current Linux kernel, said Zhiyun Qian, an assistant computer science professor at the university and project advisor. Qian and fellow authors Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel also developed a patch for client and server hosts that raises the challenge ACK limit to large values, making it difficult to exploit.

Attackers do not need to be in the traffic stream, i.e., via man-in-the-middle attacks, in order to exploit the flaw, and Qian said no user interaction is required on the part of the victim.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” Qian said in a statement published by the university. “Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain.”

The vulnerable TCP implementation (CVE-2016-5696) could affect an untold number of devices running Linux, including embedded computers, mobile phones and more. The researchers said the attack can be carried out in less than a minute and in their experiments, the academics were successful between 88 percent and 97 percent of the time.

“In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection,” the researchers wrote in their paper. “Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks.”

Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.

The work challenges previous assumptions that an attacker could not easily determine whether both ends of a session were communicating over TCP without being in a man-in-the-middle position, and therefore could not hijack nor tamper with traffic.

The researchers’ “off-path attack” is capable of determining whether hosts are using TCP connections and then learning the port numbers of those connections. The attack allows someone off-path to infer TCP number sequences and then inject exploits or terminate the traffic stream.

“We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server,” the researchers wrote. “This can have serious implications on the security and privacy of the Internet at large.”

The researchers said the problem is linked to the introduction in of challenge ACK responses and the imposition of a global rate limit on TCP control packets.

“At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.”