Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications.
The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks.
In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network. At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.
The researchers have also provided the following video demonstration:
Top sites remain vulnerable
The problematic RFC 5961 has not yet been fully implemented in Windows or Mac OS X, so those operating systems aren't believed to be vulnerable. By contrast, the Linux operating system kernel, starting with version 3.6 introduced in 2012, has added a largely complete set of functions implementing the standard. Linux kernel maintainers released a fix with version 4.7 almost three weeks ago, but the patch has not yet been applied to most mainstream distributions. For the attack to work, only one of the two targeted parties has to be vulnerable, meaning many of the world's top websites and other services running on Linux remain susceptible.
In an accompanying research paper titled Off-Path TCP Exploits: Global Rate Limit Considered Dangerous, the researchers said the vulnerability is the result of changes in the way TCP establishes a connection. When carrying out a so-called three-way handshake, the first of two parties sends a SYN (short for synchronize) packet, the receiving party responds with a SYN-ACK (synchronize-acknowledgement) packet, and the connection is established when the first party sends an ACK packet.
While similar attacks have existed for several years, the introduction of RFC 5961 makes this new exploit much more powerful. That's because the attacker need only have an Internet connection, even when there's no man-in-the-middle ability to control or monitor traffic passing between the two parties. The researchers wrote:
"In general, we believe that a DoS attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the researchers wrote. "The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."
The researchers went on to offer a workaround solution while administrators of vulnerable systems wait for a permanent fix. While Windows, OS X, and most other operating systems aren't believed to be vulnerable, the researchers warned that they could become susceptible if developers don't use extreme care when more fully implementing RFC 5961.
"It is a subtle problem," researcher Zhiyun Qian told when asked if the vulnerability resided in the RFC specification itself or a specific implementation of it. "I want to say that the RFC is written in a way that if OSes implement it straightforwardly, it is going to be problematic. So I think we should probably split the responsibility between the RFC and implementation."