A group of researchers discovered a subtle yet critical Linux bug which could allow serious hijacking attacks against the USA Today website and other popular sites.
The vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection, researchers said in the “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous” whitepaper.
“Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks,” the paper said.
The exploit affects all Linux kernel versions 3.6 and beyond and can even be leveraged to compromise the privacy of people who use anonymity networks such as Tor, shut down connections, and inject malicious code into unencrypted data streams.
To make matters worse, the attack can be carried out in about 40 to 60 seconds and has a success rate between 88 and 97 percent.
Researchers said the problem is caused by the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets and proposed changes to both the TCP specification and implementation to eliminate the root cause of the problem.
“A side channel attack capable of predicting TCP sequence numbers is a pretty serious problem,” Tripwire Vulnerability and Exposures Research Team (VERT) Computer Security Researcher Craig Young told SCMagazine.com via email comments. “This can allow attackers to launch the TCP hijacking attacks, which were so prominent in the 1990s hacking scene.”
Young said during that time, many computers would generate initial sequence values from the clock and greatly reduce the number of guesses needed to gain control of a remote session.