Linux desktop and server users are advised to upgrade the latest version after the USENIX Security Symposium was told this week of a weakness in the Transmission Control Protocol (TCP) of all versions of the operating systems released since late 2012 that enables attackers to remotely hijack users’ Internet communications.
The vulnerability, (CVE-2016-5696), was found by researchers at the University of California at Riverside and detailed in a paper available here.
“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain,” project advisor Zhiyun Qian, an assistant professor of computer science at UCR said in a statement.
Researchers found a subtle flaw (in the form of ‘side channels’) in Linux that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties, the university said.
An attacker would be able to track users’ online activity, terminate connections with others and inject false material into their communications. Encrypted connections (e.g., HTTPS) are immune to data injection, but they are still subject to being forcefully terminated by the attacker. The weakness would allow attackers to degrade the privacy of anonymity networks, such as Tor, by forcing the connections to route through certain relays, the university said.
Researcher said the attack is fast and reliable, often taking less than a minute and showing a success rate of about 90 per cent.
The problem has been patched in Linux versions that have the 4.7 kernel. Administrators who can’t update quickly can work around the problem by raising the `challenge ACK limit’ to an extremely large value to make it practically impossible to exploit the side channel. This can be done on Ubuntu, for instance, opening /etc/sysctl.conf, append a command “net.ipv4.tcp_challenge_ack_limit = 999999999”. Then use “sysctl -p” to update the configuration.