Welcome to WebmasterWorld Guest from 54.147.16.12

Forum Moderators: bakedjake

Message Too Old, No Replies

Linux Servers TCP Flaw Allows Web Traffic Hijacking

     
3:28 pm on Aug 11, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:25732
votes: 822


A proof of concept exploit shows that an attack takes only 10-seconds where the hacker can accurately guess and extract TCP packet sequence numbers exchanged between two hosts. No Man in the Middle position is required.

It's not clear how this might be closed as it's part of the implementation of RFC 5961 standard.

The vulnerability affects all Linux kernel versions between v3.6 and up to v4.7 and existed in the Linux kernel for the past four years. At the heart of the problem is the design of the RFC 5961, a standard that dictates how TCP connections are established between two hosts.

Read more: [news.softpedia.com...]
Linux Servers TCP Flaw Allows Web Traffic Hijacking [news.softpedia.com]
3:50 pm on Aug 11, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2833
votes: 145


"An attacker which knows a connections client IP, server IP and server port can abuse the challenge ACK mechanism
to determine the accuracy of a normally 'blind' attack on the client or server."

Not going to be a common attack, then.

May affect other OSes.

https helps, but does not prevent a DDOS using it.
3:53 pm on Aug 11, 2016 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2945
votes: 28


After reading the security alert, it seems that more recent versions of the Linux kernel do not properly keep track of incoming ACK segments, making it possible to fire a number of bogus packets to the server from an attacking computer in order to hijack an existing TCP connection between that server and a third party.

After that it is possible to inject malicious packets in the existing data stream between those two computers. Before this attack will work the attacking computer must know the IP addresses of the two parties who are actively communicating with each other at the moment of the attack. Therefore this attack is most useful to inject malicious packets in persistent communications between servers. Attacking a client connecting on an ad hoc basis with servers while surfing on the internet is much more difficult because the attack can only be successful during an existing TCP connection. DOS-ing the TOR network which uses a number of servers with fixed IP addresses is a feasible option as is mentioned in the page engine linked to.