Linux Bug Leaves USA Today, Other Top Sites Vulnerable To Serious Hijacking Attacks

Dan Goodin, reporting for Ars Technica: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications. The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks. In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network. At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.

TLS

[DarkOx]

And using SSL/TLS or ipsec would basically close this hole entirely. What we see here is that it might be a little easier to inject into non-ciphered non-authenticated content and there may be a slightly larger scope of attackers positioned to do it.

NON STORY

There has always been a risk that plan text traffic could be tampered with, nothing has really changed here and I don't see that risk even being significantly increased.

Re:TLS

[omnichad]

For many websites using a cert is simply to expensive and may require a dedicated IP.

Answer: Let's Encrypt and SNI. There is no excuse. If you can't do that, find a new host.

Re:TLS

[darkain]

Too bad nobody provides simple to install and manage certs for free that don't require a dedicated IP address then. https://letsencrypt.org/

Re:TLS

[paskie]

...because letsencrypt?

Re: TLS

[corychristison]

Even without Lets Encrypt, you can find paid certs for ~$5 USD per year. That's half the price of a domain name.

If you can't afford that, what the hell are you doing?

Re: TLS

[thegarbz]

Even without Lets Encrypt you can find free certs.

Re: TLS

[Dagger2]

The lack of automation means you end up paying in admin overhead though.

Re: TLS

[Dog-Cow]

15 minutes a year. Woo-fucking-hoo.

Re: TLS

[thegarbz]

If you can't afford the tiny overhead of updating your SSL certificates then you should really make that clear to your investors or anyone else who has any stake in the impeding failure of your business.

Re:TLS

[Zontar+The+Mindless]

The idiocy of the shills here is incredible. It's like a brain tumor threw up...

Thanks for making me laugh out loud with a mouthful of coffee.

(P.S. You owe me a new keyboard.)

Re: TLS

[bhiestand]

If you can't afford to automate the overhead and risk of not properly updating your SSL certificates, then you should really make that clear to your investors or anyone else who has any stake in the impending failure of your business.

Re: TLS

[thegarbz]

Err no. The ability to automate or not automate really low cost risks is not something that will put you out of business.

Depending on eliminating those really low costs however will.

Thanks for playing.

Re:Once again, open source is vulnerable

[OrangeTide]

Do you have some examples of secure closed source? It's hard to find examples that have an install base in the server world as big as Windows or Linux, and examples of less used systems can be a bit suspect as they could simply be a statistical anomaly or not well known and not a popular target in the hacker scene. (although some of those guys will dig into pretty much anything, especially if they can work out a cool presentation at DEF CON)

Linux vulns tend to get corrected pretty quickly, as there are a lot of contributors. And like most vulns the easy way to avoid this is not to add so many damn features.

PS - OpenBSD doesn't have this flaw, and it is also open source.

Re:Once again, open source is vulnerable

Most ordinary users don't look at the source because they just want a computer that works and does what they want it to. However, publishing source code allows hackers to find the vulnerabilities more easily than guessing them with closed source software. Open source software is inherently insecure and closed source offers far greater security.

At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.

It looks to me that by having the source code available, these researchers - white hats - found the vulnerability before the bad guys did. Of course, USA Today being highjacked wouldn't exactly be this horrible ordeal or any real loss to humanity.

R.I.P. IPsec

[OrangeTide]

I wrote a tiny bit of IPsec code about 15+ years ago, for a router company thinking it would take off. It still hasn't taken off, and I've given up on anyone giving two shits about rolling out IPsec in any significant way.

Re:R.I.P. IPsec

Me too (writing IPsec code years ago) and it was just so over-engineered, and had so many platform interoperability issues, no one wanted to use it. Hard to configure, hard to get right. Almost as if someone wanted it to be too complex to audit, and too full of holes.

SSH and VPN tunnels are more useful in real life.

Re: R.I.P. IPsec

[HunterBreedlove4465]

With simplicity being the goal, Id want some complexities for security; hense, smoke on the battlefields _ avoidance _ distractions are the aterior motives to discussion. IPSec, how many rules can you bend?

Re:R.I.P. IPsec

[skids]

IKEv2 is a bit better in that respect than IKEv1 is.

Really, the problem with doing IPSEC right has always been 90% inter-vendor interoperability and only 10% due to the complexities of the protocol. When you have to interoperate with vendors who have not made a complete IPSEC product, security with the well done implementations also suffers. Strongswan to Strongswan works pretty damn well, though.

No

[HBI]

The DOS possibilities are ignored by you. This is a significant problem. Why bother with a DDOS via a botnet when you can do this kind of thing from a single host?

Re:No

[HBI]

Combine the two, and a smaller botnet is sufficient to accomplish your goal. Regardless, it's still another threat that we didn't need. If the RFC were unimplemented, we'd be better off.

The good idea fairy(tm) strikes again.

Seems too scary to be believable

[mi2]

hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection

The above does not seem believable — in principle. Unless by "hackers anywhere" means "hackers able to login anywhere".

Would any resident network experts care to comment?

Re:Seems too scary to be believable

[kamakazi]

Yeah, I am also having a little trouble with the "hackers anywhere" You can't inject into traffic you can't see, so saying you don't need a man in the middle is a little disingenuous. Yes, you don't need an actual man in the middle routing packets, but it appears that you need a controlled host on a subnet through which the traffic passes.

In a switched network even this would be insufficient, since in the terminal subnets (both client and server) IP traffic is only visible on the actual switchport to which the relevant host is connected.

In the routing subnets between the terminal subnets I would hope that any computers that exist (as opposed to hardware switches and routers and flow shapers and such) would be very carefully monitored and protected. I know on the college campus network I administer the routing subnets are very small (/29s or even /30s) and usually do not contain any general purpose computers.

If you have a compromised computer actually in a position to see IP traffic it has always been trivial to spoof TCP RST packets and such to break a connection.

So yes, the vulnerability exists, but I don't see anything that I will lose sleep over. The problem with the hack is it seems to require the hacker to have already owned a machine on one of the terminal subnets involved in the attack which can see a lot more than it should be able to. A promiscuous NIC still can't see switched traffic. If this is indeed the case there has been a severe misconfiguration on the network.

Even in a wireless scenario I am not sure it is a serious threat, unless the hacker has full visibility in the wired network behind the access points, since WPA2 is going to make packet injection pretty tough

I looked briefly at the RFC mentioned, and it is attempting to make the old school "spoof a RST" type attacks harder, but those attacks should be very difficult on a modern network simply because layer 2 switching makes it hard to collect the parameters needed to build the layer 3 attack packets.

There was a company a decade or so ago (maybe they still exist, I dunno) called Audible Magic which was designed to prevent downloading copyrighted music. It required a span or mirror port so it could see the entire internet feed, it then watched TCP connections, did some sort of hash based song detection, then spoofed RSTs to both ends of the connection. Didn't work all that well, probably because it took to long to detect the song, and bittorrent made it useless because you don't get big enough pieces to fingerprint the song from a single connection, so we didn't have it around too long. I just don't understand how this attack works without that full sniffer connection.

If you were to combine some kind of storm attack in the network to cause the switches to fall into dumb repeater mode then yes, you could see the packets, but at that point the network is probably too dysfunctional for the target TCP connection to stay up anyway.

Re:Seems too scary to be believable

[DarkOx]

I commented already that I don't think this is of concern either. If we really want to tin foil hat up though it might be possible to inject into traffic you can't see. If its highly predictable traffic.

Linux Bug Leaves USA Today,

Am I the only one that (mis-)read the headline and went WTF?

Linux Bug Leaves USA Today

[StikyPad]

I say good riddance!

Re:Linux Bug Leaves USA Today

[Tablizer]

Linux hater!

Re:Linux Bug Leaves USA Today

[darkain]

I think you need a new sig (posted via Slashdot HTTPS)

Re:Once again, open source is vulnerable

[MSG]

I'm not in the habit of responding to obvious trolls, but this case makes very clear the flaw in the logic of people who actually believe that open source is insecure.

The bug is in the specification, which is necessarily open in order to create inter-operable systems. And what is code, if not a machine readable specification?

The idea that closed source is more secure, taken to its logical end, is an argument for closed systems that don't inter-operate with other systems. Their operation would have to be entirely secret and proprietary.

Re:Once again, open source is vulnerable

[Tharkkun]

I'm not in the habit of responding to obvious trolls, but this case makes very clear the flaw in the logic of people who actually believe that open source is insecure.

The bug is in the specification, which is necessarily open in order to create inter-operable systems. And what is code, if not a machine readable specification?

The idea that closed source is more secure, taken to its logical end, is an argument for closed systems that don't inter-operate with other systems. Their operation would have to be entirely secret and proprietary.

It really goes both ways. Open and Closed source code are equally secure. Many times open source code is though to be so secure that people don't discover the bugs for many years later. The advantage of open source is that the bug generally gets fixed faster than closed source due to the visibility of the issue.

Not A Linux Bug

[StormReaver]

The bug is in the RFC, which Linux implements faithfully. I find it funny that the only reason Linux is the only mainstream operating system that is vulnerable is because it's the only mainstream operating system that implements the RFC. And yes, it is a very critical bug, one which the RFC needs to address, too.

Also, the fix was committed a few weeks ago, but distributions haven't pushed it out yet (at the time the arstechnica article was written).

Re:Not A Linux Bug

Really? Not A Linux Bug?

How about it is a Linux bug, with ultimate responsibility going to the RFC. And no, it's not sufficient for the Linux world to say, "oh well, it's the RFC, so nothing to do with us." You used the RFC, you inherited the bug, you have a problem.

Linux must now decide whether to wait for the RFC process to correct the issue at source (a process that could potentially take months or years), unilaterally change the spec and wait for the RFC process to catch up, or deprecate the RFC entirely. Not a fun set of choices huh?

To do nothing is irresponsible. To send out the message that "there's nothing wrong with Linux here" is equally irresponsible. You don't get to leave your users in the lurch while you sit (collectively speaking) on your hands.

Re:Not A Linux Bug

[Mondragon]

There is absolutely nowhere in the RFC that it specifies that the challenge ACK rate limiter should be a single global limiter. Claiming that the Linux implementation is "faithful" is mostly true, in a naive way, but a non-broken implementation would *also* be a "faithful" implementation of the RFC.

Re:Not A Linux Bug

[Dog-Cow]

Your stupidity is so profound, you truly deserve to be tortured for decades.

The very comment you replied to has a second paragraph, which you completely ignored in your rush to post a stupid rant about a complete non-issue.

RFC5961 is flawed

[kent.dickey]

I read the brief article, and read RFC5961, and here's a quick summary:

A TCP connection is uniquely identified by the combination of: Source IP address; Destination IP address; Source port number; Destination port number. TCP also has a sequence number, which helps reorder packets. It also helps prevent spoofing, but spoofing is still possible. Any computer on the internet can craft a packet to send to a Destination IP address and Destination port with all the other fields spoofed. A spoofer cannot receive a reply (the Destination machine will send any replies to the indicated Source IP address, which the spoofer cannot see).

So, it's possible to inject SYN and RST requests into valid streams, shutting down other people's connections (although you couldn't be sure you've succeeded). RFC5961 tries to prevent this by adding some cases where the SYN/RST are not treated as valid, but instead it sends a special ACK to the source requesting confirmation. To avoid denial of service, these special ACKs are rate-limited to 10 per 5 seconds. Note these special ACKs are only generated if the SYN or RST look "nearly" valid based on the sequence number, otherwise the RST or SYN is ignored.

And that's what they discovered is the problem--open your own connection to any Destination which has long-term connections (and they picked a USA Today website, but anything would work), and every 2 seconds try to get it to generate those special SYN/RST ACKs. If it's not under "attack", you'll get your ACKs.

Then, spoof billions of packets using a chosen source IP address (and loop through all sequence nums and port nums) and guess the dest port (say, 80).

Now send a little traffic to the Destination on your valid connection to try to get these special SYN/RST ACKs. If you don't get your ACKs (due to the global rate limiting), then you "know" that you've stumbled upon a valid combination of Source IP/port and Destination IP/port and sequence number, so you know who's talking to the Destination machine. If you've picked a Source Address and port number not connected, then these special ACKs don't get generated, so your slow traffic generating these ACKs will not be rate limited, so you can tell this Source IP/port are not connected to this destination IP/port.

So RF5961 turns a pesky annoyance bug into a bug where its possible to determine who's connecting to a particular website (although time consuming).

With more care, they then figure out the sequence number--and once you have that, you can do targeted data injection. (It's always possible to do blind data injection, but the chance you can accurately inject javascript is hard since the sequence number is hard to predict).

RFC5961 should not do global rate limiting--it leaks important data.

Re:RFC5961 is flawed

[kamakazi]

Actually, the global rate limiting may not be the problem, the fixed limit may be. If the global rate limit were periodically randomly set, instead of 100/second, somewhere between 95 and 105 per second, then this attack would not work. It depends completely on knowing the global rate limit, and assumes there is no other traffic generating challenge ACKs.

A per connection rate limit would not accomplish the purpose of a rate limit, but an unknown global rate limit that changed fairly often would prevent this information leakage. Based on the attack time in the paper I think a rate limit that reset to a random value at a random time from 3-5 seconds would make this attack useless.

If the time the limit changes is fixed then the attacker can synchronize with the reset clock and still achieve a workable attack window by probing to determine the new limit.

I suppose you could skip the lifetime and just change it every second, since then the attacker would have great difficulty synchronizing with the limit counter as described in the article.

Re:RFC5961 is flawed

The flaw is that RFC5961 even exist. It is trying to solve a problem in the wrong place.
The proper solution for this problem is for networks not to allow packets with invalid source addresses (as in, does not belong to the network) to leave the network.

Inter-networking operations and ISP's really need to start taking network sanitization seriously. Just like ISP's should handle abuse reports prudently. Those 2 together would take care of most botnet and DDoS attacks.

Since the industry does not take care of this itself, it is time to make some laws. And yes this can be done globally, if the US puts its weight behind it.

Re:RFC5961 is flawed

[skids]

Thanks for the summary. Obviously, that points out some limitations to the attack -- you have to be on an insecure ISP that will accept your spoofed source addresses to launch it. Which addresses you can spoof can vary greatly based on the granularity of the ISP's and local network's source lockdowns, so attacking people on the same segment or the same organization may be more possible than those located elsewhere. That, and a DPI firewall on the attacked end that is able to detect such floods could probably shut the attack down, and some products might already do so by default if they protect against pre-RFC5961 flooding attacks.

Re:RFC5961 is flawed

[jgreen1024]

So RF5961 turns a pesky annoyance bug into a bug where its possible to determine who's connecting to a particular website

Well what's the big deal? NextGenHacker101 showed us how to do that back in 2008!

Re:RFC5961 is flawed

[kent.dickey]

If you just want to know if a connection exists, the exact global rate limit doesn't matter.

Let's say we're sending 5000 packets/sec to try to probe if a connection exists. And then we send 5 to see if we got it right (whatever you think the minimum per-second global throttle rate can be). If we get >= 3 on our test channel, then the probe is not for a valid connection. It doesn't matter if the server's throttle is to 5 per second or 200 per second.

A per-connection rate limit does fix the DDOS amplification issue. Yes, there may be lots of sockets open on a server, but hitting each socket with the right traffic to generate these ACKs is hard.

Fixing this on the server by limiting each socket's challenge-ACK rate is easy: have a global counter of seconds somewhere in the OS. Have each socket hold a "seconds value of last challenge ACK". If we want to send a chellenge ACK, only do it if the last_seconds_ack != global_seconds. This limits each socket to one per second. It's not even important to have the counter be large--it can be a byte (or even one bit), since it's only necessary to try to prevent sending many within the same second. And this is just to prevent magnification DDOS, which in this case may not even be necessary since it's so hard to generate the right traffic, and these ACKs are so small.

Re:Once again, open source is vulnerable

[slimshady76]

It's not a Linux bug, but a buggy RFC implementation. Please read TFA and then try to resume your lame trolling against OSS.

Re:Once again, open source is vulnerable

[EndlessNameless]

It looks to me that by having the source code available, these researchers - white hats - found the vulnerability before the bad guys did.

There is no indication in the paper that the researchers looked at the Linux source code to develop this attack. On the contrary, it looks like they designed the attack using methods devised from earlier research.

They also note that Windows, FreeBSD, and OS X are not vulnerable. In this case, being open source is not an indicator of security.

FBI LIE. FOUND ON FBI SLASHDOT.

>https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous
Authors:

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United States Army Research Laboratory

Abstract:

In this paper, we report a subtle yet serious side channel vulnerability (CVE-2016-5696) introduced in a recent TCP specification. The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

Better fix this "Linux bug" by changing TCP specification standards? No, bitches.

The title says Linux bug, this is bullshit. It is posted before they even demonstrated proof of concept later Wednesday
>researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit

Over and over lately arstechnica have been quoted on Slashdot stories that have been lies. Does anybody else see this security flaw? Has anybody ever been affected by it even one time? No, they post this shit before they even demonstrate proof of concept. They call it a Linux bug yet want to change TCP/IP standards and even allude to Tor.

Slashdot is FBI. Look at the names who are reporting this Linux bug too. "Lisa from the Army and.."

gtfo.

Re:Once again, open source is vulnerable

[F.Ultra]

Does WIndows, FreeBSD and OSX implement RFC 5961? Looks like the vulnerability lies in the specs and not in the implementation.

USAToday

[tomhath]

If a hacker injected a story into USAToday that was total BS, would anyone notice the difference?

Re:USAToday

[swb]

Way back in the 1980s when USA Today was just getting started, a news kiosk on campus had the logos of various papers on the wall next to the kiosk.

One day next to the USA Today kiosk, a graffiti artist had added in extremely neat penmanship "...tomorrow the world!" in a kind of matching font.

Not only was it pretty funny, but I think because it looked like it belonged, it never got removed.

Re:USAToday

[ebvwfbw]

Na, it would fit right in with all the other BS.

Re:"linux is safe"

[Dadoo]

It isn't.

No one has ever said "linux is completely safe". It's just safer than most of the alternatives.

Re:Once again, open source is vulnerable

No, they don't. And they are completely vulnerable to the attack RFC 5961 is meant to avoid.

Re: "linux is safe"

[orlanz]

No they haven't. Nuff said.

Re:Once again, open source is vulnerable

[exomondo]

Do you have some examples of secure closed source?

Even if you were to get an answer to that the result would always be "but it could contain undiscovered vulnerabilities" and the same is the case with open source software despite the fact that you can see the code. Yes it does mean that white hats could find and fix bugs easier but it also means black hats could find and exploit bugs easier so whether it is more or less secure depends on who is looking at the code.

There are too many variables to ever broadly say open source or closed source is more secure and it's not something you can prove.

Re:Once again, open source is vulnerable

[X86BSD]

FreeBSD supports partial implementation of 5961. As well as one of the authors of the RFC for 5961 being a FreeBSD committer. FYI. I have yet to see a Security Advisory for FreeBSD yet about this issue. So time will tell. But so far only Linux is affected.

Microsoft Propoganda

[Eravnrekaree]

Apparently Microsoft paid for the article, because its not a Linux bug. If I am not mistaken, Windows and all other TCP OSs have this problem because of the fact TCP is an insecure protocol (by itself), OF COURSE you can rewrite the packets if you are a man in the middle. This has been known for a very long time. TLS will solve this problem of course.

Re:Microsoft Propoganda

[SilentChasm]

If you read the article, you would see it's not a flaw in TCP in general but in RFC 5961, which only Linux has implemented so far and thus why it's the only one that's vulnerable. It also does not require you to be in the middle of the connection. Even with TLS you can still create a denial of service using this attack.

Re:Once again, open source is vulnerable

[Barsteward]

Windows and Mac OS X were the only other OSs mentioned in the article and according to the article, the fix was applied to the linux kernel 4.7 three weeks ago. One good thing is that the other OSs who are still dragging their feet on implementing 5961 fully, now have a heads up.

Re:Once again, open source is vulnerable

[Barsteward]

perhaps you'd need to read this http://www.theregister.co.uk/2...

Re:Once again, open source is vulnerable

[EndlessNameless]

No, and the vulnerability from implementing it is actually worse than doing nothing at all.

Without RFC 5961 support, an attacker with visibility of your communication can DoS it with forged resets. With RFC 5961, an attacker without direct visibility can determine if two hosts are communicating and then tamper with the data---roughly 80% of the time, according to paper.

The RFC process follows essentially the same many-eyes approach, yet this vulnerability went undiscovered from draft to implementation.

Open vs closed development of specs and software had little or no effect on the end result---although with open software you could remove the offending code yourself if the developer is unwilling to change or remove it himself.

Re:Once again, open source is vulnerable

[proibido]

I don't really need the source to find and exploit bugs.

Well, it sure helps!

Re:Once again, open source is vulnerable

[EndlessNameless]

The partial implementation in FreedBSD is identified as not vulnerable. It's on p 15 of the research paper.

Re:Once again, open source is vulnerable

[ebvwfbw]

Not a Linux bug. Same thing will work against Windows, and everything else. It's in the RFC that everyone follows.

Re: Once again, open source is vulnerable

[igorlord677]

Wrong. Kernel 4.7 has effective mitigation without disabling rate limit on challenge acks.

The title is WRONG

[igorlord677]

The title of the article is WRONG. USA Today and most major sites are NOT vulnerable to this. If you did not notice, the video is from Match 22. The vulnerability fix was reported by the research group in July and patched upstream by the Linux kernel community shortly thereafter. USA Today and other sites were fixed ahead of this announcement back in July. Read more on this at blogs.akamai.com.

Re:Once again, open source is vulnerable

[Zontar+The+Mindless]

What are you complaining about? Like the headline says, the bug left the USA today!