Widespread Linux Flaw Allows TCP Session Hijacking, Termination

The TCP implementation in all Linux systems built since 2012 has a serious flaw that can allow an attacker to terminate or inject data into a session between any two vulnerable machines on the Internet. The bug could also be used to end encrypted connections or downgrade the privacy of connections run through Tor or other anonymity networks.

The vulnerability was introduced in Linux 3.6 and an attacker does not need to be in a man-in-the-middle position in order to exploit it. The researchers at the University of California Riverside who discovered the flaw say that it results from an attackers ability to infer the TCP sequence numbers for the packets flowing between two hosts.

“The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets. The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012. At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the UCR researchers’ paper says.

“Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.”

Linux is used in millions of embedded devices, servers, mobile devices, and other machines all across the Internet, many of them out of sight of normal users. An attacker who knows about this vulnerability and has the skill to exploit it not only would be able to hijack connections between two machines communicating in plaintext, but could also terminate encrypted connections. The researchers said the skill level needed for an adversary to carry out this attack is not high.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain,” Zhiyun Qian, an assistant professor of computer science at UCR, said.

The main targets for this attack would be any plaintext connection with a long life, and the researchers listed things such as chat rooms, news sites, online ads, or video services as good targets. The researchers, who will deliver their paper at the USENIX Security Symposium today, disclosed the vulnerability to the Linux community, and a patch is in line for the next release of the operating system.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed