back to article Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc

A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking …

Page:

  1. This post has been deleted by its author

  2. Chewi
    Linux

    Just Linux?

    Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all? Couldn't you just send spoofed packets anyway without any of the initial setup?

    1. Sir Runcible Spoon

      Re: Just Linux?

      I think you need to be able to stop one side sending out ACK checks so you can anticipate the packet sequence numbers reliably.

      1. Chewi

        Re: Just Linux?

        Good answer, thanks.

    2. SImon Hobson Bronze badge

      Re: Just Linux?

      Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?

      Yes !

      In effect, this isn't a new attack, it's just a way of disabling the mitigation for a very old attack - which as far as I can tell is a CVE from 2004. While I can see that a determined and well informed attacker could use the old attack against some types of traffic, in the general case I can't see it being that much use. You need to know that two IP addresses are communicating, and what ports they are using, and the sequence numbers they are using - AND exactly when they are doing it. Armed with all that knowledge, you can then inject packets - but if the traffic being passed is in any way checked (either explicitly or as a side effect of encryption such as SSL) then there's not much you can do other than terminate the connection.

      So I think you can forget about attacks such as "changing the contents of an email or web page" simply because the requirements in terms of knowing exactly who is talking to who, using what ports, and when, are such as to make it impractical without the sort of access to information that would in reality make other ways of doing the same thing far more useful !

      SSH sessions ? Tend to be quite long lived - but all you could do is terminate the session.

      Torrent downloads ? Don't the clients checksum all the pieces anyway ?

    3. Richard 26
      Facepalm

      Re: Just Linux?

      "Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"

      Sadly, not. The problem is that since the total number of challenges is rate limited, an attacker can deduce the number of challenges sent on attempts to spoof valid connections. So instead of having to guess port number tuples, the attacked system will now tell you.

      In order to make blind guessing less effective, we will now let you know when you are getting close. Sadly, a small flaw in an attempt at hardening has made things worse.

  3. DropBear

    So, you're basically saying we should change our El Reg passwords...? And tomorrow do it again...?

    1. Drop Bear
      Unhappy

      @DropBear

      I wouldn't bother changing your El Reg password. It's not as if it's protecting anything tangible.

  4. ivan itchybutt

    small hurdle?

    "...after inferring the source and destination ports in a connection"

    doesn't seem like a trivial task if you're not man in the middle.

  5. John Sanders
    Holmes

    This is not trivial to exploit

    But obviously stating this does not help the click-fest.

    There are already patches proposed in the kernel mailing list.

    Bet by tomorrow this is a non-issue.

    And it is not a Linux vuln but a protocol flaw.

    1. tom dial Silver badge

      Re: This is not trivial to exploit

      It is a protocol flaw, yes, but because Linux implements the protocol, it also is a Linux vulnerability. The two things are not mutually exclusive.

  6. Anonymous Coward
    Windows

    Many eyes...

    But they were looking at nudie pics

  7. Anonymous Coward
    Anonymous Coward

    How to tell if your system is affected

    check if your system is affect by running command "cat /proc/sys/net/ipv4/tcp_challenge_ack_limit".

    If the file is there and the value is 100 or less. Then follow the workaround to fix the vulnerable.

  8. TCPeed

    "I think you need to be able to stop one side sending out ACK checks so you can anticipate the packet sequence numbers reliably."

    "Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"

    Something I'm not completely clear about after reading a few of these:

    Does it only take one Linux computer (in the session) to push this exploit, or do both sides of the communication have to be Linux?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like