TCP Connections in Linux Servers Hijacked Through CVE-2016-5696

The TCP implementation in the Linux kernel is vulnerable to the security flaw CVE-2016-5696. Once the CVE-2016-5696 is exploited it allows the attacker to hijack unencrypted Web traffic or crash encrypted communications like Tor connections or HTTPS sessions. The number of vulnerable devices is at 1.4 billion. Around 80% of Android users are affected by the bug and their unencrypted data is at risk, since most devices use the Linux Kernel 3.6.

A research made by researchers from the University of California, Riverside, and the U.S. Army Research Laboratory reveals an existing vulnerability in Linux kernel v3.6 and up to v4.7. The problem is caused by a flaw in the design of RFC 5961. This standard has the function to command how to be established the TCP connections between two hosts.

All Internet communications have implemented TCP protocol. This protocol provides error-checked, reliable and ordered delivery of a stream of octets between applications running on hosts that communicate over an IP network. Protocols HTTP, DNS, FTP, SSH, SNMP, Telnet, POP are packaged together with TCP/IP as a “suite”.
In order to establish a secure connection between the two hosts, TCP connections are set up to run a process of exchanging three types of TCP packets in a certain order.


The researchers ascertain that it’s the way RFC 5961 standard has been implemented in the Linux kernel that allows an attack. They proved that this flaw (CVE-2016-5696) allows the attacker to intercept the TCP-based connections between two hosts on the Internet.

More information from the researchers’ report:

We discover and report a serious vulnerability unintentionally introduced in the latest TCP specification which is subsequently implemented in the latest Linux kernel.

We design and implement a powerful attack exploiting the vulnerability to infer
1) whether two hosts are communicating using a TCP connection;
2) the TCP sequence number currently associated with both sides of the connection.

The first stage of infection takes only 10 seconds for the attacker to guess the TCP packet sequence numbers that had just been exchanged between the two hosts.

An Attacker Doesn’t Need to Intercept the Connection as in MitM Attack

By knowing the IP addresses of the targeted communicating parties the attacker can intervene the connection. Afterward, he can inject malicious TCP packets into the sequence of the legitimate TCP packets. It is interesting that in this case, the attacker does not need to implement a man-in-the-middle attack to exploit the flaw. The packets’ exchange between the two hosts can be made through the server that is not necessarily under his control.

The flaw grants the attacker information on users’ activities, furthermore, he could inject random data into a connection and terminate connections.
The experiment proves the importance of using HTTPS communications as they cannot be injected with data. However, the connection can be crashed. One of the tests made by the team of researchers reveals that encrypted services such as Tor and SSH can be targeted through CVE-2016-5696. Disrupting the connections between certain relays results in successful Denial of Service (DoS) state.

Was this content helpful?

Author : Joseph Steinberg

Joseph Steinberg is the editor-in-chief, lead content creator, and local father figure of Best Security Search. He enjoys hiking and rock climbing and hates the 12345678 and qwerty passwords.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *