IP flaw leaves servers vulnerable to silent interception

Researchers have discovered a serious implementation flaw in the Request for Comments: 5961 internet standard that could allow attackers to intercept traffic and manipulate it without needing a man-in-the-middle position.

RFC 5961 is designed to make the commonly used transmission control protocol (TCP) more robust against hacking attacks, but it can be abused in blind off-path attacks over unencrypted connections.

A team of researchers at the University of California found [pdf] that the relatively new RFC 5961 standard allows attackers to infer communication over TCP/IP between two hosts on the internet and work out the packet sequence numbers. 

Attackers can therefore terminate connections and perform data injection attacks. 

The researchers said since Linux has implemented RFC 5961 fully, the open source kernel has been vulnerable to the serious side channel attack since version 3.6, released in 2012.

Linux variants are used on a large number of internet servers, and while kernel maintainers have patched the vulnerability, the updated code hasn't been applied to many distributions yet.

Microsoft Windows and Apple's macOS operating systems do not fully implement RFC 5961 and aren't thought to be vulnerable to the hijacking attack.

Hijacking connections is relatively easy, the researchers said, taking on average 40 to 60 seconds to finish, with an 88 to 97 percent success rate.

They demonstrated the vulnerability by intercepting traffic between news site USA Today, successfully injecting a phishing registration window that asked for victims' email addresses and passwords.

The vulnerability can also be used to compromise the anonymity of The Onion Router (TOR) privacy-oriented network, the researchers said.

Fixing the issue would require changes to the design and implementation of TCP's global rate limit to prevent or mitigate against the side-channel attack, the researchers suggested.