Bad news: there is a flaw in Linux kernel that can allow an attacker to inject malware into web pages, downloads and disrupt Tor web sessions. The hacker can also launch a denial-of-service attack and much more. Considering the broad use of the Linux OS and related platforms such as Android, this news is more than troubling.
The flaw is a TCP/IP blunder that is present in the version 3.6 and later in the open source OS. Attackers may use the flaw to determine the computer systems connected to each other. Further, the flaw enables breaking these connections by injecting malicious codes to the communications if they are not encrypted. In simpler terms, an attacker can hijack HTTP connections using the TCP\IP connection blunder.
Surprisingly, exploitation of the flaw does not need a man in the middle attack, neither does the attacker need to eavesdrop. The attacker can be remote, and all they need to do is send the right packets to both ends to disrupt the connections. In other words, the attacker needs the IP addresses of the two connected computers to send spoofed packets on both ends, and the attack is complete.
University students at the University of California, Riverside reported this flaw. According to them, the weakness is concealed in the Linux implementation of RFC 5961. RFC 5961 was introduced in 2010 and has been in use in the kernel since 2012. The RFC 5961 was implemented in the system in good faith; its purpose was to improve security, but it seems to have done the opposite.
Zhiyun Qian, one of the researchers who discovered the flaw noted the ease of which the attack can be carried out. “The attack we presented requires minimal knowledge. Typically, any attacker in the world can pull it off as long as they identify two computers connected via networks that allow IP spoofing. Obtaining the IP addresses of the server and victim is relatively easy.”
For unencrypted traffic, aside from breaking connections, an attacker could easily introduce content to the traffic and consequently add malware that reaches the victim. For HTTPS and SSH connections, the attacker can only do as much as break the connection.
The researchers behind this discovery demonstrated the hack in the 25th Usenix Security Symposium in Austin Texas. They broke a connection on the USA Today website, by introducing code that also removed passwords from the reader login form. They also demonstrated a hack on Tor relay servers. Out of 40 Tor relay servers, only 16 rejected their code.
The latest versions of Linux are vulnerable to these attacks, but Windows, Mac OS and FreeBSD are safe because they have not implemented the RFC 5961. The researchers have since provided a patch for the flaw. There is still a real danger as the attacker only needs one system to be unpatched for the hack to work.
If you’re using Linux, you might consider getting yourself a VPN, if you don’t have one already.