Linux flaw?

According to the (, researchers from the University of California, Riverside and the U.S. Army Research Laboratory discovered that a Transmission Control Protocol (TCP) specification implemented in Linux (a flaw) creates a vulnerability that can be exploited to terminate connections and conduct data injection attacks by using a method that allows a blind, off-path attacker to intercept TCP-based connections between two hosts on the Internet.

Specialists tracked the vulnerability as CVE-2016-5696 and stated that it is related to a feature described in RFC 5961. The purpose of the feature is to make it more difficult to launch off-path TCP spoofing attacks.  Experts formulated the specification in 2010, but Windows, Mac OS X, and FreeBSD-based operating systems did not fully implement it. However, the Linux kernel since version 3.6, released in 2012, implemented the feature.

TCP data packets

The fact is, that unique sequence of numbers identify TCP data packets transmitted from one host to another. Since there are nearly 4 billion possible sequences, it should be impossible to determine an association between a sequence of numbers and  a specific communication.

However, experts discovered that attackers can leverage the flaw in Linux to deduce the sequence numbers associated with a particular connection simply by knowing the IP addresses of the targeted communicating parties. An attacker, who doesn’t need to be able to directly intercept the connection as in a classic man-in-the-middle (MitM) attack, can exploit this weakness to track users’ activity, terminate connections, thus injecting arbitrary data into a connection.

Researchers noted that data cannot be injected into HTTPS communications, but the connection can still be terminated using this method. One attack scenario described by the experts involves targeting Tor. It implies disrupting connections between certain relays. Thus, forcing users to use attacker-controlled exit relays.

Who are the victims?

The experts demonstrated the attack on the USA Today news website. They pointed out that many services hosted on Linux machines could be vulnerable, including video, ad, news and chat services. The condition is for the website or service to have a long-lived TCP connection – between 40 and 60 seconds. The success rate for the attack is between 88% and 97%.

Linux patched the vulnerability in the Linux kernel in July with the release of version 4.7. The developers of various Linux distributions indicated that they are working on addressing the security hole.