agsandrew - Fotolia

How does a Linux vulnerability allow attacks on TCP communications?

A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb explains how to mitigate these risks.

A Linux vulnerability present in 80% of Android devices reportedly enabled attackers to identify hosts communicating over TCP, and to attack traffic or terminate connections. Attackers can also conduct remote code execution if a WebKit or browser-related bug is chained with the Linux vulnerability. How serious is this widespread vulnerability, and what can be done to mitigate possible attacks?

The Off-Path TCP Exploit was discovered by researchers from the University of California, Riverside and the U.S. Army Research Laboratory. This Linux vulnerability has been present in systems since version 3.6 of the kernel, which was released in 2012. When the issue was publicly disclosed during the 2016 USENIX Security Symposium, around eight out of every 10 Android devices were found to be affected, along with other devices running affected versions of Linux, such as web servers, desktops and smart TVs.

Ironically, the flaw was introduced when Linux implemented the TCP/IP networking standard, "RFC 5961: Improving TCP's Robustness to Blind In-Window Attacks," published in 2010. This standard made small modifications to the way TCP handled inbound segments to block spoofed packet injection attacks.

To successfully insert data into a connection, an attacker needs to know the two IP addresses and the source and destination ports, plus the next valid serial numbers of the exchanged packets. RFC 5961 introduced challenge ACK packets to ensure that no one could forcibly insert themselves into a valid connection. The Linux vulnerability arose because the OS rate limits the output of these challenge ACKs.

This means that once an attacker has the source and destination IP addresses and ports in a connection between a server and a client, they can send the server spoofed packets, prompting it to keep sending challenge ACKs to the client until the server hits its limit and temporarily stops sending them. This gives the attacker the opportunity to infer the TCP sequence numbers in use, allowing him to break the connection or perform data injection attacks. The researchers who discovered the flaw have posted a video showing an attack in progress and the HTTP traffic being hijacked.

It's not just the number of devices affected that makes this vulnerability a concern, but that it is practical and within the capabilities of many hackers, as no user interaction, such as downloading malware, is required by the victim. The attacker doesn't need to create a man-in-the-middle position on the network to exploit the flaw either -- in fact, an attack can be launched from anywhere in the world where a machine is on a network that allows for IP spoofing.

According to the researchers, the attack can be executed in less than a minute, and it has a 90% success rate, which has serious implications for the security and privacy of the entire internet. Although encrypted connections are immune to data injection, the connections can still be forcefully terminated by an attacker. The researchers showed how the flaw (CVE-2016-5696) can be exploited to break SSH connections and to tamper with encrypted communications traveling over the Tor anonymity network. If an attacker manages to combine this attack with a WebKit or browser-related bug, the consequences could be even more dangerous.

Patches for the Linux vulnerability have been developed for the current kernel, and system administrators should install them as soon as possible. A temporary solution that can be applied to affected systems is to raise the challenge ACK limit to a very large value, such as 999999999, which makes it practically impossible to exploit this side channel attack. For Ubuntu Linux, it's a case of opening the /etc/sysctl.conf configuration file and adding or amending the line:

net.ipv4.tcp_challenge_ack_limit = 999999999

Other operating systems, such as Windows, Mac OS X and FreeBSD, are immune to this new attack vector because they have not yet fully implemented RFC 5961, while devices that use IPv6 networking, such as most Verizon 4G Android smartphones, are theoretically harder to attack due to the vast IPv6 address space.

Next Steps

Find out how to spot Linux vulnerabilities in your system

Learn about the different TCP port scanning techniques your enterprise can use

Read about the Dirty COW Linux vulnerability that has been around for years

This was last published in January 2017

Dig Deeper on Application and platform security