Default Linux implementation of default allows attacker to manipulate connection
A leak in the Linux implementation of the rfc 5961 standard allows an attacker to interrupt connections between two parties and makes it possible to inject malware, for example. According to the discoverers, large internet sites are vulnerable.
The vulnerability, discovered by researchers at the University of California, exposes TCP connections to an ‘off path’ attack, Ars Technica writes. It is not necessary for an attacker to be between two communicating parties, as with a man-in-the-middle attack. It is only required that the attacker can determine that communication is taking place.
The vulnerability cve-2016-5696 occurs in the Linux implementation of the fairly new rfc 5961 standard, which is present from version 3.6 of the kernel. The issue has been resolved in version 4.7 of the kernel. However, this has yet to be included in the various distributions. Rfc 5961 is specifically intended to make connections more secure and is currently only implemented in Linux, not Windows or OS X.
To perform an attack based on the vulnerability, it is required that the attacker has knowledge of the IP addresses and ports through which communication between two parties takes place. He can then bombard the server with spoofed packets. This causes the server to send challenge acks until the maximum is reached, after which the attacker can target the target and send spoofed packets to disconnect or inject data onto an unencrypted connection. The Register reports that there is a workaround by adding the line net.ipv4.tcp_challenge_ack_limit = 999999999 to /etc/sysctl.conf and running sysctl -p as root.
Using such an attack, the researchers demonstrated that they could inject malicious javascript into the USA Today website. It is also possible to interrupt ssh and tor connections. Injection can only take place in unencrypted connections. “The unique aspect of the attack is that it can be carried out without many requirements,” researcher Zhiyun Qian told The Register. A dos attack on the Tor network could have major consequences for the availability of the service, according to the scientist. This is reflected in their research.