Linux Traffic Hijack Flaw Also Affects Most Android Phones, Tablets

Zack Whittaker, writing for ZDNet: As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability. Security firm Lookout said in a blog post on Monday that the flaw affects all phones and tablets that are running Android 4.4 KitKat and later, which comes with the affected Linux kernel 3.6 or newer. According to recent statistics, the number of devices affected might run past 1.4 billion phones and tablets -- including devices running the Android Nougat developer preview. Windows and Macs are not affected by the vulnerability. The flaw, disclosed at the Usenix security conference last week, is complicated and difficult to exploit. If an attacker can pull off an exploit, they could inject malicious code into unencrypted web traffic from "anywhere". However, the source and destination IP address would need to be known in order to intercept the traffic, adding to the complexity of carrying out a successful attack.The exploitability isn't easy, though.

Re:So what

it's

Cue The Apologists!!

Time for the Slashdot crowd to tell us why this is a good thing and why Android still rulez.

What?

[sexconker]

How is this different from a typical MITM attack?

Is this saying that it's a MITM attack that can exploit a flaw in the kernel resulting in arbitrary code execution?
If so, wouldn't a regular (compromised/malicious) website be able to do the same thing without the MITM being necessary, HTTPS or not?

If it's not saying that it's a MITM attack that can exploit a flaw in the kernel resulting in arbitrary code execution, WTF is it saying?

Re:What?

It's a bit vague, but it sounds like one can inject traffic into a stream without the traffic passing through them. As mentioned they need to know the source & destination IP's that are currently communicating when sending the malicious payload.

Re:What?

[quenda]

How is this different from a typical MITM attack?

The attacker does not have to be "in the middle" .
But standard defence against MITM - don't trust unencrypted connections - would work fine for this as well, I would think.

Re:What?

There is still a lot of email that is unencrypted. Theoretically an attacker could inject an attachment and sentence "Also, check out the attachment for more details" at the end of a legitimate email.

Re:What?

As well as IPSEC AH, TCP-MD5, TCP-SHA, any UDP-based VPN layer...

OTOH, any BGP sessions in Linux-based routers you have *better* be protected either by TCP-MD5, IPSEC, or direct-link enforced TTL==255, because a TCP RST spray that gets through (made easier by this exploit) will bring the BGP session down. Note that unlike, say, Juniper gear, Linux *does* support every strong TCP protection in the book, so you *really* have no business running BGP over plain, unprotected TCP.

Re:What?

don't trust unencrypted connections

That should be "don't trust unencrypted/unauthenticated connections." The added bit is extraordinarily important. -PCP

Re:What?

Theoretically? sure. But, not practically. For one thing the TCP session would have to be long enough time wise to give the attacker time to determine the ports and sequence numbers and then time it properly or fragment it properly so that the corrupted stream is readably corrupted.

Re:What?

And the attacker would have to know the proper TCP sequence number(s) or the data will be discarded. I think this is more of a 'lab' attack and not practical in the real world - at least for TCP. UDP is a different story.

Re: What?

I found the unpaid Linux shill. Hey bro, wise up. At least MS and Apple pay well for this service.

Re:What?

They have to know the source & destination IPs and port numbers and must be non-encrypted traffic.

It's dramatically easier to simply inject data at the source, given that in order to perform a man in the middle attack you either have full access on either endpoint and know the sequence numbers, or have access to the communication paths, thereby allowing you to monitor the traffic. It's the sequence numbers which create the vulnerability; even though Linux implements the RFC accurately.

The largest threat this presents is from ISPs and/or NSA injecting stuff into your unencrypted stream. Aside from that, conventional attack vectors are dramatically easier.

If you're running Linux and are worried, add the following to your sysctl.conf file and run
net.ipv4.tcp_challenge_ack_limit = 999999999

The run: sudo sysctl -p

Re:What?

[gexacor]

What could you do at all using your regular Android smartphone? Did you tried to teach your mother or granny do not trust unsecured connections, by the way? :)

No wonder

Google has perhaps known about this for ages and used the knowledge as motivation to promote wider use of encryption.

Re:No wonder

Or the NSA won't allow them to patch it...

Haha!

My now apparently unsupported moto x 2014 (thanks Lenovo) runs kernel 3.4
I guess that makes me safe?

Patch already available (I think...)

[by+(1706743)]

Patch.

The link was from here, which also suggests a fix for unpatched systems:

echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >>/etc/sysctl.conf;sysctl -p

(Courtesy of this site.)

Re:Patch already available (I think...)

[by+(1706743)]

(Here's the patch from a more familiar source, kernel.org.)

Re: Patch already available (I think...)

[buchanmilne]

All the different distributions of Linux combined with no user friendly way of keeping the latest patches installed is just asking to be trouble.

All the distros I have used have had both n00b-friendly and cli-autobatible options for installing updates for more than a decade. E.g. red icon pops up in systray, click it to see what updates are available, deselect some if you need to defer restarting something, click the update button. and carry on with what you were doing. If a kernel or very common lubrary update was installed, you're informed at the end that you should reboot and you are asked if you want to reboot or do it yourself later.

I don't know how it could be any more user friendly.

Re: Patch already available (I think...)

That is so easy that actually .. I was kinda embarrassed that my gran showed me how to do it. Shes a total CLI demon.

But yeah, she loves running on the endless linux patch treadmill. It gives her a good workout.

Re:Cute

[jmccue]

And Apple has an excellent history of bug fixes compared to Linux.

Apple has an excellent history of hiding fixes compared to Linux. FTFY

Re:Cute

Compared to Linux? No, they don't, not even close.

Compared to Android as shipped in phones (i.e. not AOSP), then yes, Apple has a much better track record.

One more reason I hate Lenovo/Mororola support (NO

[blueskiesokie]

I love my Moto X Force. Motorola has absolutely no software support for their phones! There was one update to Android 6.0 Dec 15 . Absolutely no security updates!! So no fixes for ANY security issues.

Re:Cute

[Oloryn]

I've got the mitigation on all of my Linux machines, but does it work on Android? Looks like the user would be forced to root an Android in order to apply the fix, if it works.

Windows and Macs

[Threni]

"As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability"
"Windows and Macs are not affected by the vulnerability."

Wait, run that past me again? You're absolutely sure this linux issue doesn't affect devices which don't run linux?

Re:One more reason I hate Lenovo/Mororola support

[RubberDogBone]

My Nexus 6 is similar to your X Force... perhaps somebody can get one of the Nexus 6 ROMs to work on not just your device but all the other Motorola models that are relatively similar.

But even Google says they will stop guaranteeing updates for the Nexus 6 once Nougat is released. Keep in mind, the Nexus 6 was still a current product up until 9 months ago and you can still get them new in the box. But they've already warned us to not expect much. Not sure if this is Google or Motorola or both declaring this thing dead but damnit this was still a mainline product within the last year. And now it's already an orphan?

Well, I suppose I should not be too upset: the four Android phones I had before this one got only one or two updates between them, ever. The Nexus 6 has gotten monthly security patches and IIRC 3 major OS updates in the last few months.

Re:One more reason I hate Lenovo/Mororola support

[thegarbz]

This would worry me if there were any active exploits of security flaws. The fact is that mobile phone users in general are dumb as doorknobs and there are far easier ways to exploit the user and gain access to the phone through the legitimate pathways that the OS provides rather than exploiting security holes.

"Do you wan"OK yes OK I've clicked OK already just go away stupid popup asking me a question I didn't read!

Typical Slashdot

Linux/Androd flaw, 30ish comments and the only modded up ones are espousing the greatness of Lnux, despite the fact this will never be fixed on a majority of devices.

iOS flaw, 300 comments modded up talking about how shitty the platform and how awesome Android is, despite the face that said flaw will likely be fixed on any device from the last 5+ years.

More proof Android's Linux... apk

See subject: I've pointed that out many times this proves it all the more (as Android's surely NOT Windows or iOS/MacOS X) - & as per my usual? So much for the CRAP spouted here on /. for decades of "Windows != Secure, Linux = Secure" horseshit (until ANDROID came around proving QUITE otherwise that is).

* Additionally: So much for "all those BLIND EYES on 'Open SORES' code", eh?

(Lies they spouted for YEARS on this site are falling apart around your ears... nigh constantly, courtesy of ANDROID!)

APK

P.S.=> Lastly: The reason for this post? I've had FOOLS around here say "Android is NOT a Linux" (whenever I've pointed out it IS a Linux variant) well again:

Using a Linux core, it's surely NOT Windows OR iOS/MacOS X - WHICH ARE NOT AFFECTED BY THIS EXPLOIT...

&

This problem proves my point yet again all the more that android IS a form of Linux (with a STUPID java ('dalvik') front-end making it even MORE vulnerable than ever due to all the TONS OF FLAWS in Java)... apk

CVE

For those who care about technical details, the exploit is CVE-2016-5696

Linux

About the importance to a man of a suitable clenchbox which will serve to drain
him speedily and with thoroughness.

For a man to remain municipally vital and spiritually proficient he must keep his
scagbag on all days freshly drained, To do this properly he must have an anode to his
diode which will urge the lungers from his lingam in rapturous fashion. Irreplaceable
in this mans testation is clenching, which must be garnered from the fleshfilled
aperture of another. Unless it is absolutely necessary, no hands or dairy products
should be used in the facilitation of dong-drainage, as doing so would refute the Lord's
roster of appropriate uses for semen.

About the ways of a man meeting the woman he wants for his wife; and apprising her of
his affections. When a man meets a woman he'd like to see on the receiving end of his
stinkhammer, he shall convey to her his affection by unsnapping the back flap of her Dr.
Dentons and worming his finger into her anus until she indicates her mutual attraction
by squeaking.

About the business of a man properly emptying his crimson kingfish within the confines of
his wife.

A man who wishes ro properly enact congress must execute the following procedures of
eroticism:

1. Foreplay

2. Penetration of the beefpit

3. Washing

4. Slumber

Firstly a woman must have her "breasts" enlarged and adorn herself with a wig which shall
kindle the embers of desire within a man in a way that he shall want to manifest via the
thrustfull expressions of his fishmallet. When a man is in bed with his wife and they are
wearing only their underclothes, he shall embark on "foreplay". "Foreplay" begins with
the man lightly touching the "breasts, which are the mounds of fat on a woman adjacent
to her biceps. Then, with his tongue and the palms of his hands, he caresses the deep,
pungent crinkles of her rectum, exciting the woman until her bouiiabaisse is moist and
fretful. These actions shall also make the man boil with the hot bristling hemoglobin of
passion, and he shall feel as if his stinkhammer were full of a hundred hard-beating
hummingbird hearts.

When "foreplay" is completed it is time for the man to place his cheeseflag into the flesh
filled fissure at the fork of the woman's gams, often called her "beef pit." Once penetration
is achieved he shall extrude his juice along the slippery walls of the woman's sperm-thirsting
stench trench, while she uses her fingernails to fondly taunt the fatty flesh that forms the
front curtain of the scrotum.

As this is being done the man shall exaltedly chant, "jean Baptiste hath sown the grayest
grapes" and selections from the New Testament, and the woman shall break into a joyful chorus
of "Kama kama kama ka - me - li - un' Once the baby gravy has been completely pumped, the
man shall reclaim his wilting stalk and walk it to the comfort Station for bathing.

Once in the bath, he makes for himself a hot shower, and with a large amount scouring soap and
loofah pads laves from his member the gunk which has accrued and made it all shiny and glisten-
ing and ripe like a chowder. After this the man returns to his mattress where he may enjoy the
rewards of sleep and thick vivid dreams about automobiles and fine tailoring.

Linux problem affects linux devices? You don't say

[allo]

(no further text)