Laatst bijgewerkt: 11-08-2016, 07:59 door Muria: http://news360.com/article/364201678Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications.
The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks.
The problematic RFC 5961 has not yet been fully implemented in Windows or Mac OS X, so those operating systems aren't believed to be vulnerable. By contrast, the Linux operating system kernel, starting with version 3.6 introduced in 2012, has added a largely complete set of functions implementing the standard.
De essentie ontbreekt in deze beschrijving, namelijk
off path - d.w.z. het gaat hier niet om een MitM aanval (Man in the Middle, dus met directe toegang tot de verbinding tussen client en server), maar om een internet-connected-device
waar dan ook op Internet waarvan de gebruiker weet of vermoedt dat de te kapen verbinding wordt opgezet.
Het originele nieuwsartikel lijkt trouwens geschreven te zijn door Dan Goodin in [1] en refereert naar de publicatie van de onderzoekers [2], Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy en Lisa M. Marvel.
Eerdere sheets met uitleg over de achterliggende problematiek en
off-path attacks: [3]. Daaruit:
October 28th 2015, door Matthew Luckie, Robert Beverly, Tiange Wu, Mark Allman, kc claffy: [...]
- Paul Watson 2004 advice: strictly validate RST packets, choose ephemeral ports randomly
[...]
- Default behavior of Windows and MacOS is to choose TCP ephemeral ports sequentially
[...]
Aanvulling 11-08-2016, 11:33: uit [4], fix voor Linux:
10 Aug 2016 at 23:23, door Iain Thomson: [...]
As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to
/etc/sysctl.conf:
net.ipv4.tcp_challenge_ack_limit = 999999999
And then use sysctl -p to activate the new rule. You need to be root to do this.
[...]
[1]
http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/[2]
http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf[3]
https://www.caida.org/~mjl/imc-blind.pdf[4]
http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/