With the disclosure last week that over 900 million android phones were susceptible to the QuadRooter vulnerability, you could be forgiven for thinking that that was enough excitement for now. Yet, alas not.
Researchers from the University California-Riverside have identified a Linux kernel vulnerability which affects certain Linux-based operating systems OS. This includes 80%, or roughly 1.4 billion, of all Android devices.
So, without further ado, here’s everything you need to about who’s affected by the vulnerability, how it operates and what can you do to protect yourself against it.
According to the NVD, the Linux kernel vulnerability affects all Linux operating systems that are running version 4.6 and earlier.
Also, in regards to Android, this affects all devices running Android OS 4.4 KitKat or later.
The vulnerability affects a weakness in the Transmission Control Protocol (TCP) of all relevant Linux operating systems mentioned above. Attackers are able to infer the TCP number sequence associated with a particular connection, with no more information needed than the source and destination IP addresses.
The weakness can be used to launch attacks that could degrade the privacy of anonymous networks (e.g. Tor browser), track users’ online activity, hijack a conversation between hosts and even forcibly terminate a conversation.
The attack has been found to take less than a minute to instigate and have a nearly perfect success rate.
The underlying Linux kernel vulnerability has been assigned CVE-2016-5696 with a medium severity rating.
The exploitability rating is low, but it should be remembered that the risk is still there for targeted attacks.
You’ll be glad to hear the kernel was patched on July 11th 2016. But unfortunately, it wasn’t ready in time to be included in the latest developer preview of Android OS Nougat.
However, if you’re running a standalone Linux OS, you can update your kernel to version 4.7 which contains the patch.
You can check if your Android device is vulnerable by running the following command from an adb shell: sysctl net.ipv4.tcp_challenge_ack_limit. If the reported number is less than 1,000 (which is the new number in the patch), I’m sorry to say chances are your device doesn’t contain the patch. If that’s the case, you may want to encrypt your communications using such tools as a VPN.
The biggest takeaway for enterprises, is the importance of being aware of known open source security vulnerabilities affecting your components, and upgrading them when possible. For if left unpatched, all affected Linux environments would be susceptible to targeted attacks seeking to gain access to or manipulate unencrypted sensitive information.
Here at WhiteSource, as part of our automated open source management solution, we continuously monitor new CVEs and track over 175,000 open source vulnerabilities, including the Linux kernel vulnerability. Therefore, we’re able to alert our customers, in real time, about vulnerable libraries in their software, and fixes for them.
It’s always important to remember, if the open source community is aware of an open source vulnerability, so are hackers. Therefore, you need to be as well.