The exposure (PDF) permits hackers to mount so-called “cross-layer” attacks in contradiction of the Linux kernel, misusing a flaw in its pseudo-random number generator (PRNG).
This is potential because the UDP source port generation algorithm, the IPv6 flow label generation algorithm, and the IPv4 ID generation algorithm on some Linux-based systems all plug into the defective PRNG.
After concluding the inner state of the PRNG from one (network) OSI layer, the security weakness makes it conceivable to practice this information to expect the casual number value in another OSI layer.
RECOMMENDED: ‘Air-Fi’ attack renders air-gapped computers open to data exfiltration through WiFi signals
Forecasting the PRNG value opens the door to DNS cache killing attacks against Linux systems, both on local networks and remotely, while it does need the DNS server to be outside the target’s network.
The error also lets hackers classify and trail both Linux and Android devices.
The kernel liability was revealed by Amit Klein, vice president of security research at Safe Breach and a security researcher at Israel’s Bar-Ilan University.
According to Klein, the supreme dominant type of DNS attack is against Ubuntu servers, as those servers’ DNS stub resolver is especially vulnerable.
He estimates that 13.4% of web servers run Ubuntu; some 3-5% of servers run together Ubuntu and a public DNS service, sustaining the obligatory pre-conditions for possible misuse.
In fact, the number could be greater than this conventional estimate, Klein told The Daily Swig. Servers using exterior but private DNS servers, such as those run by ISPs, are also open to attack.
Klein explained: “These may very well be weak, however attacking them wants a bit more intel and planning, which is why I could not found attacking them in my research.”
DNS cache poisoning, Klein warns, unlocks the door to a choice of activities.
“It can be used to reduce email security, hijack emails, hijack HTTP traffic, circumvent email anti-spam and banning mechanisms, mount a local DoS attack (blackhole hosts), poison opposite DNS resolutions and attack the machine’s NTP [Network Time Protocol] client, accountable for the machine’s clock,” he said.
The PRNG flaw also allows hackers to exploit web-based tracking on Linux and Android devices.
“These can be used to track people, through networks, and even when the browser privacy mode is used, or using a VPN,” said Klein.
A full fix was issued for Android in October 2020, but operators can also defend themselves through either a proxy or Tor.
“This obligation is exactly the kind of thing I am looking for and actively learning. I didn’t accidentally crash into it… [But] here may be other circumstances (such as local attacks) that I haven’t discovered,” he said.
The tracking threat arises because it is presumable to “collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, rebuild the PRNG internal state and associate this new state to earlier extracted PRNG states to recognize the same device.”
Luckily, only Linux systems and those, such as Android, that run on top of the Linux kernel are in danger. Other Unix-based systems, such as macOS, use changed PRNG algorithms.
The solution for Linux users is to exchange weak PRNG with stronger algorithms. Klein notified the Linux security team in March 2020, and they established an area based on a stronger PRNG using SipHash.
New forms of Linux cover the new PRNG. In addition, DNS-over-HTTPS blocks the attack, if both the stub resolver and DNS server support it. But this does not stop device tracking.