Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced a subtle yet serious security flaw. Assigned CVE-2016-5696, the flaw exploits the challenge ACK rate limiting feature that could allow an off-path attacker to infer the presence/absence of a TCP connection between two arbitrary hosts, terminate such a connection, and even inject payload into an unsecured TCP connection. In this work, we perform a comprehensive measurement of the impact of the new vulnerability. This includes (1) tracking the vulnerable Internet servers, (2) monitoring the patch behavior over time, (3) picturing the overall security status of TCP stacks at scale. Towards this goal, we design a scalable measurement methodology to scan the Alexa top 1 million websites for almost 6 months. We also present how notifications impact the patching behavior, and compare the result with the Heartbleed and the Debian PRNG vulnerability. The measurement represents a valuable data point in understanding how Internet servers react to serious security flaws in the operating system kernel.

[1]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.

[2]  Amir Herzberg,et al.  Off-Path Hacking: The Illusion of Challenge-Response Authentication , 2014, IEEE Security & Privacy.

[3]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[4]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[5]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[7]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[8]  Marcin Zalewski,et al.  Strange attractors and tcp/ip sequence number analysis , 2004 .

[9]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[10]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.

[11]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[12]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[13]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[14]  Mark Allman,et al.  Resilience of Deployed TCP to Blind Attacks , 2015, Internet Measurement Conference.

[15]  Dmitri Loguinov,et al.  Hershel: Single-Packet OS Fingerprinting , 2014, IEEE/ACM Transactions on Networking.

[16]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[17]  S. M. García,et al.  2014: , 2020, A Party for Lazarus.

[18]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[19]  Amir Herzberg,et al.  When tolerance causes weakness: the case of injection-friendly browsers , 2013, WWW '13.