Dangerous TCP Flaw In Debian GNU/Linux Has Just Been Fixed


We wrote about a crucial flaw in Linux kernel in Linux kernel 3.6 and later that if exploited creates a backdoor for a wide range of malicious blind off-path TCP attacks that are powerful enough to compromise Linux users’ security.

It is this TCP spying flaw that the Debian GNU/Linux maintainers have been able to patch and it is such a welcome development. Debian patched tons of bugs in the Linux kernel that could lead to hacking via escalated privileges, denial of service, among other threats in its latest security advisory.

Below are a few things you should know about these bugs and their patches:

  1. CVE-2016-5696: This one was sniffed out by University of California Riverside’s Zhiyun Qian and his collaborators. It deals with the faulty implementation of TCP Challenge ACK feature in Linux that attacers might exploit to locate TCP connections between two specific IP addresses and inject malicious code. Debian project says that it could be moderated by increasing the rate limit for TCP Collect ACKs.
  2. CVE-2016-6136Pengfei Wang is the guy who discovered this ‘double-fetch’ or ‘Time-of-check to Time-of-use (TOCTTOU)’ bug.  Pronounced “TOCK too“, it is a software bug caused as a result of changes that occur in a system between the checking of a condition and the use of the results of that check. Exploiting this bug can allow an attacker to create misleading log entries.
  3. CVE-2016-6480: This one is a minor double-fetch bug in Adaptec RAID controllers because it doesn’t have a practical security impact on the latest Debian GNU/Linux releases.
  4. CVE-2016-6828This ‘user-after-free’ bug is triggered by local users in the TCP implementation and it can lead to the denial of service and privilege escalation. However, the exact security impact of this bug is unknown.

Ultimately, we advise you to upgrade your Linux packages.

Why is the CVE-2016-5696 bug so dangerous?

CVE-2016-5696 is the most dangerous of these bugs and yet it was labeled medium (attack range: remote) on the NVD severity scale. This issue was fixed by Linus Torvalds himself, who writes in his GitHub commit that “host rate limiting of challenge ACKS (RFC 5961) could leak enough information to allow a patient attacker to hijack TCP sessions.”

On presentation of research at Usenix security conference, researchers showed that TCP implementation could be exploited to uncover TOR users by forcing them to use specific exit relays.

Linux and other OSes make use of the Transmission Control Protocol (TCP) to send and receive information and an IP address is what is used to ensure that the information reaches the intended destination. A hacker can exploit the TCP flaw to deduce the TCP sequence number with which he can track users’ online activities in less than 60 seconds and a 90% success rate.

Such targeted attacks are not walks in parks but the fact that they can be carried out raises serious security concerns. We advise users to keep safe by encrypting their internet traffic and using a good VPN in addition to keeping their systems updated

We hope you found this article helpful? Drop your feedback in the comments section.

About The Author
Martins Okoi
Computer Science enthusiasts with a passion for learning new things. In my spare time, I listen to music, read like a compiler, and learn like an A.I algorithm.

Leave a Response