back to article Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc

A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking …

  1. Ropewash
    Facepalm

    Patch incoming in... 3,2,1

    Except for Android phones and smart TV's (and home routers?). Those will be screwed over.

    Keep your torrents encrypted. :)

    Now I'm expecting some clear and insightful comments from the MS fudslingers. Don't let me down guys.

    1. Anonymous Coward
      Anonymous Coward

      Re: Patch incoming in... 3,2,1

      You're projecting, my dear chap...

      1. Ropewash

        Re: Re: Patch incoming in... 3,2,1

        "You're projecting, my dear chap..."

        Perhaps. I was just thinking the MS guys might like to have a go at the Linux folks this go-round.

        After all, we (myself included) don't miss many opportunities to give MS a well earned kicking when they're down.

        However other responders were much better at reading the mood than I and it seems they're either above it or just couldn't be arsed. Too bad, I'm bored after work and enjoy reading the arguments.

    2. Daniel Palmer

      Re: Patch incoming in... 3,2,1

      "Except for Android phones and smart TV's (and home routers?). Those will be screwed over."

      Most of that stuff is running kernels so old that they don't contain the affected code.

      1. paulc

        Re: Patch incoming in... 3,2,1

        about device on my Galaxy S5 gives kernel version 3.10.61

        1. asdf Silver badge

          Re: Patch incoming in... 3,2,1

          > Galaxy S5 gives kernel version 3.10.61

          I though the Android kernel was forked off the Linux kernel at version 3.0 or so. Is Samsung different?

        2. Wilseus

          Re: Patch incoming in... 3,2,1

          "about device on my Galaxy S5 gives kernel version 3.10.61"

          Some Linux-based systems use kernels with newer features backported to them, so the kernel version being reported won't necessarily tell you much. That's definitely the case with ChromeOS, I don't know if it applies to Android as well though.

        3. Anonymous Coward
          Anonymous Coward

          Re: Patch incoming in... 3,2,1

          >>. about device on my Galaxy S5 gives kernel version 3.10.61

          errr that's nice. cheers

        4. Zola
          Facepalm

          Re: Patch incoming in... 3,2,1

          Nexus 7 (2013) with all of the latest Marshmallow updates:

          ~$ uname -a

          Linux localhost 3.4.0-g1fc765b #1 SMP PREEMPT Wed Jun 8 18:49:02 UTC 2016 armv7l

          So no worries there - for once being on an ancient kernel is a blessing!

    3. keithpeter
      Linux

      Re: Patch incoming in... 3,2,1

      "The flaw finders have developed and distributed a patch for this serious error, but that's still going to leave a lot of servers unpatched – and the exploit only requires one end of the communicators to be unpatched for the hack to work."

      @Ropewash: I suspect that the 'fudslingers' will not be too voluble: see the first part of the quote from OA above. The BSD fixie riders might manage a smug smile.

      The real question is how do we siphon off some small fractions of a % of the beelions that large Internet companies have made (annually) using software that has been written and distributed freely - the money to be used for the purpose of software audit and code checking?

      1. 1Rafayal

        Re: Patch incoming in... 3,2,1

        why should users of this free software be responsible for testing it? Shouldnt the maintainers of the free software carry out the testing for it instead?

        Consumers of the software just need to make sure it does what they want it to do, not that it does what everyone wants it to do.

        Also, why should these "beelions" made by large Internet companies who use this free software pay for that testing? Especially when they need to pay people to support the free software they just decided to use?

        Proprietary software for companies as large as you are alluding to normally comes with Enterprise support to provide 24/4 help to anyone using that software. Other companies pushing open source and free software also sell Enterprise support plans for this software. So when exactly does it become as free as you mention?

        1. Anonymous Coward
          Anonymous Coward

          Re: Patch incoming in... 3,2,1

          "why should users of this free software be responsible for testing it? Shouldnt the maintainers of the free software carry out the testing for it instead?"

          Er, you don't really understand from whom Linux comes, do you? And in case you're wondering, there's no piece of software anywhere that gives any guarantees of correctness, free or paid-for.

          Though I will say one thing though about Linux: isn't it high time that the network stack got moved out of the kernel? Things like this point quite convincingly to the perils (never mind the performance problems) of putting such a large chunk of code in the kernel. This is too close for comfort to being able to take over a machine through it's stack.

          1. 1Rafayal

            Re: Patch incoming in... 3,2,1

            @AC

            So, you think that people should be responsible for carrying out unspecified testing on software they have either just purchased or agreed to use? Are you for real?

            And for those people paying for an enterprise support package - they are also supposed to carryout some unspecified testing on whatever software they are using as well whilst paying for their enterprise support?

            This has nothing to do with Linux, so not sure why you felt the need to pick that one out, maybe because it satisfies an argument you are having with yourself?

            I think it is pretty clear you dont work at the enterprise level, so maybe you should keep your opinions to your self on these matters? At least until you know what you are talking about?

            Oh, and I dont give a monkeys about what is in the Linux kernel.

      2. Packet

        Re: Patch incoming in... 3,2,1

        Did you just call a BSD user a hipster?

        Come now, that's such a horrid thing to say - just beyond the pale.

        1. keithpeter
          Windows

          Re: Patch incoming in... 3,2,1

          "Did you just call a BSD user a hipster?"

          Yup: based on my locally available sample: beard (tick), fixed wheeled bicycle (tick), lives in small flat with a balcony on which bike is parked (tick), wears shoes without socks (tick), likes a local independent coffee shop with tables made from plywood (tick).

          Pity about the shell suit though.

          1. asdf Silver badge

            Re: Patch incoming in... 3,2,1

            >"Did you just call a BSD user a hipster?"

            Web browsing mostly out of a OpenBSD VM is smart security practice. I guess that passes for hipster these days. Not to mention if I had to maintain internet facing servers OpenBSD would be my first choice. Wouldn't be worrying about this mickey mouse shit for example.

      3. This post has been deleted by its author

  2. Roo
    Unhappy

    Nice hack

    Neat hack. Slightly relieved that HTTPS & SSH still work. :)

    1. Tessier-Ashpool

      Re: Nice hack

      SSL, anyone? El Reg?

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice hack

        When using a secure connection (https, ssh, tor etc), you cant modify it, but with this you can end the session.

        1. NotBob

          Re: Nice hack

          So that's what's happening when we try to see el reg in https

  3. That_Guy

    meh

    Where's my tinfoil thingamabob... OK, all good.

    No way in hell would I implement the workaround. On a system with a high volume TCP load, I speculate that essentially removing rate limiting would open one up to stack saturation / buffer overflows with intentionally sent malicious packets. Or maybe that's the intention of this workaround that reads like a nation state armchair exploitation.

    Agent N: Oy geeza, do this or you'll be owned -

    Adminerd: Kk.

    Agent N: lolz owned.

    Adminerd: :[, barely had time to lick a boot.

    1. Anonymous Coward
      Anonymous Coward

      Re: meh

      Stack saturation maybe, but I hope "buffer overflows" ain't gonna happen nowadays. I mean, EVERYONE must have heard of QA, liniting, defensive programming, not behaving like a clown who thinks he is skilled with obscure pointer arithmetic etc. nowadays.

      Well, there will always be unskilled first-timers overly confident in their nomnexistent skills and barely aware of software development processes, but I hope they won't be near a network stack...

      1. Anonymous Coward
        Anonymous Coward

        Re: meh

        >Well, there will always be unskilled first-timers overly confident in their nomnexistent skills and barely aware of software development processes, but I hope they won't be near a network stack...

        IoT?

  4. joed

    not linux fault then

    the RFC has not been thoroughly tested and early adopters (or followers of standards) pay the price.

    1. dajames Silver badge

      Re: not linux fault then

      No, it's not Linux's fault ... as the article does note: while later versions of Linux are vulnerable to this attack, Windows, OS X and FreeBSD aren't vulnerable because they haven't fully implemented RFC 5961 as yet.

      So, Linux is ahead of the game, but I'd hardly call it an "early adopter". RFC5961 is six years old and is designated a "PROPOSED STANDARD" (their caps) you might think a few others would have picked it up by now ... but then again RFC2460 is nearly 18 years old and we still don't have universal IPv6 support. Things do go slowly in standards-land, and perhaps that's just as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: not linux fault then

        The majority of RFCs these days seem to be a solution looking for a problem

  5. frank ly Silver badge

    At least it's an easy fix

    /etc/sysctl.conf is quite a short config file. I notice the following in my Linux Mint installation:

    # Uncomment the next two lines to enable Spoof protection (reverse-path filter)

    # Turn on Source Address Verification in all interfaces to

    # prevent some spoofing attacks

    #net.ipv4.conf.default.rp_filter=1

    #net.ipv4.conf.all.rp_filter=1

    I wonder why these haven't been enabled by default for a distribution that is obviously intended as a domestic computer. (Also, it shouldn't say "the next two lines", it should say "the final two lines".)

    There is this one too:

    # Do not accept ICMP redirects (prevent MITM attacks)

    #net.ipv4.conf.all.accept_redirects = 0

    #net.ipv6.conf.all.accept_redirects = 0

    However, there is a comment that "Some network environments, however, require that these settings are disabled so review and enable them as needed."

    1. patrickstar

      Re: At least it's an easy fix

      There is no benefit from these settings unless you are on a multihomed host - and chances are your home network isn't. *

      And they break lots of multihomed setups.

      So no, not good to have by default. I think Debian actually used to enable them by default but wisened up. At least I have lots of memories of doing routy stuff with Debian and repeatedly scratching my head as to why it wasn't working until I remembered to disable them.

      * Actually, there is one use case on a single homed host: Efficiently blocking traffic from a long list of addresses/networks. Add routes for them via loopback and enable rp_filter. What rp_filter does is look up the sources of all incoming packets in the routing table and dropping the packets if the incoming interface doesn't match the route. And routing table lookups are a lot more efficient than stepping through firewall rules.

  6. UKHobo
    Alien

    take me to your leader

    # Log Martian Packets

    #net.ipv4.conf.all.log_martians = 1

    nice pointer to the /etc/sysctl.conf file thanks but now that I'm looking at it I'm thinking this particular option should be switched on by default

    1. Paul Crawford Silver badge
      Alien

      Re: take me to your leader

      For an internet-facing PC port (e.g. firewall) that makes sense, but behind NAT you really don't want a log of all 192.168.0.0/16 packets!

    2. idef1x

      Re: take me to your leader

      Not realy..It will log every private IP it sees and since you're most likely connected to a network that uses private ip ranges...(here in the office in the 10.0.0.0/8 range and at home 192.168.0.0/16 range for example)...so if you like to fill your logging with it...go ahead

    3. Alistair Silver badge
      Coat

      Re: take me to your leader

      @ UKHobo:

      Log martians yes, but even on an INSIDE network, use your syslog to ratelimit or filter them. If you have one or two phones on the network, a TV and perhaps a reasonably new printer you'll go nuts chasing them all down.

  7. David Roberts Silver badge
    Joke

    Won't you think of the children?

    From the picture all of the UCR researchers are foreign looking.

    Can't even pronounce their names.

    Sweet Jesus, Donald, where are you when we need you?

    .

    .

    .

    .

    .

    .

    .

    .

    .

    .

    Sort of joking, but have you noticed how many US security researchers (mathematics based generally) seem to be Asian? Loads of Chinese and Pakistani/Indian names? Are they better at maths than their Western counterparts due to early training? Or just all round brighter?

    1. Jack of Shadows Silver badge

      Re: Won't you think of the children?

      More dedicated in my view. The grad student I was paired with had her own theorem in econometrics. She was from India which has a very fine tradition in maths. That was in the early '90's when I went back to college for a second go at, you probably guessed it, UCR. It was my mother's alma mater as well. She earned her Ph.D. when she was 49, and UCR was just as ethnically diverse back then, too.

      1. Anonymous Coward
        Anonymous Coward

        Re: Won't you think of the children?

        Asians/Indians are burning bright (and also numerous) while Whitey is out tweeting like a dumb fuck, Jews have lost their hunger and Blacks are there because of affirmative action.

        So there we go.

        (Anon obviously because hella non-PC)

        1. razorfishsl

          Re: Won't you think of the children?

          More dumb ass Stereo typing

    2. Alister Silver badge

      Re: Won't you think of the children?

      Sweet Jesus, Donald, where are you when we need you?

      I wonder if he knows Jesus was a towelhead?

      1. Sir Runcible Spoon Silver badge
        Joke

        Re: Won't you think of the children?

        He's a Red Sea pedestrian and proud of it :)

      2. scrubber

        Re: Won't you think of the children?

        Jesus, like Santa, is white!

        I know this because they said so on a news channel...

        https://www.youtube.com/watch?v=7XYlJqf4dLI

        1. oldcoder

          Re: Won't you think of the children?

          Well, considering he is a British, Dutch and Turkish origin - most of him coming from northern Europe...

      3. Anonymous Coward
        Anonymous Coward

        Re: Won't you think of the children?

        Jesus was Jewish

        1. Anonymous Coward
          Anonymous Coward

          Re: Won't you think of the children?

          @downvoter

          You mean Jesus wasn't Jewish? Did I get this wrong, is this factoid in dispute? Inquiring minds need to know!

          1. Anonymous Coward
            Anonymous Coward

            Re: Won't you think of the children?

            "You mean Jesus wasn't Jewish? Did I get this wrong". Perhaps your comment was just a bit off topic, perhaps he was a Palestinian, perhaps he was a self hating Jew, perhaps he was white, perhaps he was not, perhaps you should just shut up.

    3. Anonymous Coward
      Anonymous Coward

      Re: Won't you think of the children?

      Sort of joking, but have you noticed how many US security researchers (mathematics based generally) seem to be Asian? Loads of Chinese and Pakistani/Indian names? Are they better at maths than their Western counterparts due to early training? Or just all round brighter?

      You're forgetting the "yooge" population sizes of China and India (each over 1.2 billion) compared to the rest of the world, and familial pressures on children to succeed. There are several factors that help the stereotype.

      1. Anonymous Coward
        Anonymous Coward

        Re: Won't you think of the children?

        And they have a totally different style of teaching.

        http://www.ft.com/cms/s/0/11ed77a2-14eb-11e5-9509-00144feabdc0.html#axzz4H1ml1Wme

        1. Anonymous Coward
          Anonymous Coward

          Re: Won't you think of the children?

          Numbers are all one syllable in most asian languages - easier to process

          1. Frumious Bandersnatch Silver badge

            Re: Won't you think of the children?

            Numbers are all one syllable in most asian languages - easier to process

            Well the exception proves the rule, I guess: 「一」の読みは「いち」です。

    4. Anonymous Coward
      Anonymous Coward

      Re: Won't you think of the children?

      I will point out that there are some legitimate reasons why you see more foreign-born people in these positions. For one, American trained BS STEM graduates can often get high salaries. Depending on the field those figures can exceed $100,000/yr. For a lot of fields, the salary increase due to a MS or PhD degree is not substantial enough to convince graduates to go back to college for several more years. Furthermore, the undergraduate STEM students we produce in the US are much better trained than the international graduate students that we receive. This means that internationally educated graduates have a greater incentive to come to a US institution for further study, which puts them in a better position to be part of work like this after graduation.

      There's also the point that, if the work is done at a university, then chances are most of the people working on it are graduate students, who as mentioned above are more likely to be of international background. It's also a lot easier for an international student to get an education in the US, than it is to find a job here afterwards.

      While I'm speaking from a US perspective, I would expect the same holds true for other countries with a comparable academic tradition, like the UK.

      1. Lars Silver badge
        Happy

        Re: Won't you think of the children?

        @AC

        "Furthermore, the undergraduate STEM students we produce in the US are much better trained than the international graduate students that we receive".

        The whole thing is fairly complicated. Listen to this American professor of theoretical physics at the City College of New York.

        https://www.youtube.com/watch?v=CrE9z1JFT1Y

        To put it bluntly, a country that does not understand the value of affordable education for each and every kid will end up with a uneducated population. A catastrophe for a democracy. And please, I am not laughing or mocking you, but this US election is just too revealing to go unnoticed around the world.

  8. This post has been deleted by its author

  9. Chewi
    Linux

    Just Linux?

    Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all? Couldn't you just send spoofed packets anyway without any of the initial setup?

    1. Sir Runcible Spoon Silver badge

      Re: Just Linux?

      I think you need to be able to stop one side sending out ACK checks so you can anticipate the packet sequence numbers reliably.

      1. Chewi

        Re: Just Linux?

        Good answer, thanks.

    2. SImon Hobson Silver badge

      Re: Just Linux?

      Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?

      Yes !

      In effect, this isn't a new attack, it's just a way of disabling the mitigation for a very old attack - which as far as I can tell is a CVE from 2004. While I can see that a determined and well informed attacker could use the old attack against some types of traffic, in the general case I can't see it being that much use. You need to know that two IP addresses are communicating, and what ports they are using, and the sequence numbers they are using - AND exactly when they are doing it. Armed with all that knowledge, you can then inject packets - but if the traffic being passed is in any way checked (either explicitly or as a side effect of encryption such as SSL) then there's not much you can do other than terminate the connection.

      So I think you can forget about attacks such as "changing the contents of an email or web page" simply because the requirements in terms of knowing exactly who is talking to who, using what ports, and when, are such as to make it impractical without the sort of access to information that would in reality make other ways of doing the same thing far more useful !

      SSH sessions ? Tend to be quite long lived - but all you could do is terminate the session.

      Torrent downloads ? Don't the clients checksum all the pieces anyway ?

    3. Richard 26
      Facepalm

      Re: Just Linux?

      "Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"

      Sadly, not. The problem is that since the total number of challenges is rate limited, an attacker can deduce the number of challenges sent on attempts to spoof valid connections. So instead of having to guess port number tuples, the attacked system will now tell you.

      In order to make blind guessing less effective, we will now let you know when you are getting close. Sadly, a small flaw in an attempt at hardening has made things worse.

  10. DropBear Silver badge

    So, you're basically saying we should change our El Reg passwords...? And tomorrow do it again...?

    1. Drop Bear
      Unhappy

      @DropBear

      I wouldn't bother changing your El Reg password. It's not as if it's protecting anything tangible.

  11. ivan itchybutt

    small hurdle?

    "...after inferring the source and destination ports in a connection"

    doesn't seem like a trivial task if you're not man in the middle.

  12. John Sanders
    Holmes

    This is not trivial to exploit

    But obviously stating this does not help the click-fest.

    There are already patches proposed in the kernel mailing list.

    Bet by tomorrow this is a non-issue.

    And it is not a Linux vuln but a protocol flaw.

    1. tom dial Silver badge

      Re: This is not trivial to exploit

      It is a protocol flaw, yes, but because Linux implements the protocol, it also is a Linux vulnerability. The two things are not mutually exclusive.

  13. J J Carter Silver badge
    Windows

    Many eyes...

    But they were looking at nudie pics

  14. Anonymous Coward
    Anonymous Coward

    How to tell if your system is affected

    check if your system is affect by running command "cat /proc/sys/net/ipv4/tcp_challenge_ack_limit".

    If the file is there and the value is 100 or less. Then follow the workaround to fix the vulnerable.

  15. TCPeed

    "I think you need to be able to stop one side sending out ACK checks so you can anticipate the packet sequence numbers reliably."

    "Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"

    Something I'm not completely clear about after reading a few of these:

    Does it only take one Linux computer (in the session) to push this exploit, or do both sides of the communication have to be Linux?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019