There is a serious problem in new TCP feature designed to prevent hacking: it makes possible to make easily man-in-the-middle type attacks from anywhere. Feature is built into Linux kernel 3.6-4.7 (patch on newest version available).
At the symposium, the researchers demonstrated the exploit by injecting code into a live USA Today page that asks visitors to enter their emails and passwords, which was possible because pages on USA Today aren’t encrypted.
Perhaps most importantly, the intercepting of data doesn’t require a man-in-the-middle attack, where a connection will covertly intercept, collect and pass forward information between two parties. Instead, attackers can just send packets of data to the two targets with spoofed credentials.
“Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating,”
Because Linux runs in the backend on a majority of servers as well as on Android devices, an enormous number of users might be left vulnerable. Even those using the much-vaunted anonymizing software Tor could have their privacy compromised 90 percent of the time in an average time of about 50 seconds.
The team notes that because only version 3.6 or later of the Linux kernel has the flaw, systems running older software are not affected.
CVE-2016-5696 is the ID of a serious security flaw that affects the TCP implementation in the Linux kernel, which, if exploited, allows an attacker to hijack unencrypted Web traffic, or crash encrypted communications such as HTTPS sessions or Tor connections.
The vulnerability affects all Linux kernel versions between v3.6 and up to v4.7 and existed in the Linux kernel for the past four years. At the heart of the problem is the design of the RFC 5961, a standard that dictates how TCP connections are established between two hosts.
CVE-2016-5696 can also be used to create a Denial of Service (DoS) state for encrypted services such as SSH and Tor.
The paper titled Off-Path TCP Exploits: Global Rate Limit Considered Dangerous presents a case study where the six researchers injected a phishing form inside the USA Today website.