A TCP weakness in Linux systems allows network traffic hijack

by attilagyorffyon 8/10/2016, 8:53:49 AM with 10 comments
  • by espeson 8/10/2016, 9:53:08 AM

    demostration: https://www.youtube.com/watch?v=S4Ns5wla9DY

    paper: https://www.usenix.org/system/files/conference/usenixsecurit...

  • by grymoire1on 8/10/2016, 4:02:44 PM

    Apparently this command fixes the problem:

    echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >>/etc/sysctl.conf;sysctl -p

    I got this from http://www.isssource.com/fixing-an-internet-security-threat/ but they had a typo

  • by zx2c4on 8/10/2016, 10:22:54 AM

    Here's the commit for fixing this: https://git.zx2c4.com/linux/commit/?id=75ff39ccc1bd5d3c455b6...

  • by 0x0on 8/10/2016, 10:17:12 AM

    Currently listed as vulnerable and unfixed in Debian: https://security-tracker.debian.org/tracker/CVE-2016-5696

  • by cafon 8/10/2016, 1:41:36 PM

    What's interesting is that this is a protocol bug, not an implementation/software bug (in RFC 5961).

    It is intriguing to realize that the three information leakages are enabled by the three (and only three) conditions that trigger challenge ACKs...

    Indeed. It almost looks like an intentional back door.

  • by attilagyorffyon 8/10/2016, 8:56:49 AM

    I've found this on isssource and am surprised that it has not spread like wildfire. If the claims are true then this is an issue that should be taken seriously. Posting here for discussion.

  • by apion 8/10/2016, 4:34:37 PM

    Probably affects Android too since it uses the Linux kernel.

    Personally I consider this to be a mild to moderate vulnerability since under no circumstances should you ever trust a non-encrypted non-authenticated channel to be safe. TCP offers in-order delivery and decent integrity checking but otherwise offers absolutely no security guarantees at all. From a crypto point of view an authentication method like TCP sequence numbers should be considered "not even there."

  • by p4bl0on 8/11/2016, 1:15:10 PM

    This strongly reminds me that Silence on the wire by Michal Zalewski, really is an excellent read.

  • by dozzieon 8/10/2016, 9:00:41 AM

    Wasn't it fixed long, long ago? As I remember, kernel developers were fixing TCP sequence numbers at some point.

  • by heroictrollon 8/12/2016, 4:16:33 AM

    Earlier today I had an issue where, for some reason, my IP address was wrong. Like I was being sent through a VPN. Google and IRC were treating me as if I had a spammer's IP address.

    I know this is a common virus issue on Windows but couldn't find any explanation for why that would happen on Linux and, after turning on my actual VPN, it went away.

    So could someone explain if this is related to me? I was seriously freaked out by it, and still don't really have an explanation.