A new vulnerability (CVE-2020-16166) in pseudo random number generator (PRNG) was found by Amit Klein, vice president of security research at SafeBreach and a security researcher at Israel’s Bar-Ilan University.
The vulnerability opens the door to Cross-Layer Attacks, a new hacking technique that raises a risk of DNS cache poisoning and that can enable the unauthorized identification and tracking of Linux and Android devices.
KernelCare patches for Debian 10, Debian 8, Oracle Linux UEK 5 and 6, Ubuntu 18.04, 20.04 are already available. Patches for RHEL 8 & Oracle Linux UEK 4 will be released early next week.
About CVE-2020-16166, Cross-Layer Attack
From kernel version 5.7.11 onwards remote attackers can make observations about the Linux kernel that enables the attacker to extract sensitive information about the internal state of RNG (random number generation) on a network. It relates to two pieces of kernel code: drivers/char/random.c and kernel/time/timer.c.
CVE-2020-16166 enables attackers to mount what is called a “cross-layer” attack. This attack against the Linux kernel exploits a specific weakness in the way PRNG (pseudo random number generation) is handled in Linux.
The attack is possible because, on some Linux systems, the flawed PRNG powers three key network algorithms:
- UDP source port generation
- IPv6 flow label generation
- IPv4 ID generation
Attackers start by inferring the internal state of the PRNG on a specific network OSI layer. Next, attackers use this security weakness to then predict a random value in another OSI layer. This ability to predict random values means that the attacker obtains the opportunity to poison the DNS cache in some Linux systems.
This DNS poisoning risk exists for both local networks – and remote networks. However, the DNS server that is poisoned must lie outside of the target network
Furthermore, the ability to make inferences around random number generation inside a Linux system can also give attackers the ability to track the users of Android and Linux devices.
Note that only Linux systems and other operating systems based on the Linux kernel, such as Android, are vulnerable to this attack.
The solution to this attack vector is to replace the current PRNG in Linux with an algorithm that offers stronger random number generation. Newer Linux versions contain an improved PRNG.
Also note that applications using DNS-over-HTTPS will block the attack, but only if both the DNS server and the stub resolver fully support DNS-over-HTTPS. However, DNS-over-HTTPS will not eliminate the risk of device tracking.
Note that while Debian Linux and CentOS Linux do not use DNS caches, both Linux distributions are still vulnerable to CVE-2020-16166.
Linux distributions affected by CVE-2020-16166
Amit Klein, the researcher who discovered the vulnerability, says that Ubuntu servers are the most vulnerable. Unique characteristics of the Ubuntu stub resolver implies that the attackers have the option of a particularly powerful DNS attack aimed at Ubuntu servers.
That implies a big risk, according to Klein, given that 13.4% of the world’s web servers are running on Ubuntu. In addition, another 3.4% of web servers run a combination of Ubuntu and a public DNS server. This satisfies the preconditions that can lead to the exploitation of CVE-2020-16166.
Klein told the Daily Swig that he thinks the numbers above are a conservative estimate because servers that use private DNS (from an ISP, for example) are also open to an attack – thought it will require harder work and more preparation from the attacker. Klein says he cannot predict how feasible an attack is where a private DNS is in use on a vulnerable Linux server.
Nonetheless, Klein warns that DNS cache poisoning opens the door to a wide range of security concerns. He lists a few – including compromised e-mail security, hijacking HTTP and e-mail traffic as well as the ability to bypass anti-spam and blacklisting protection.
CVE-2020-16166 can also enable an attacker to mount a DoS attack that is local (blackhole hosts), to compromise reverse DNS resolution, and to mount an attack on the network time protocol (NTP) client, a critical tool that maintains a Linux server’s clock.
Patches for Debian 10, Debian 8, Oracle Linux UEK 5 and 6, Ubuntu 18.04, 20.04 are now available and will be applied to all systems with KernelCare installed within the next 4 hours.
Patches for Oracle Linux UEK4, RHEL8(CentOS 8, CL8, CL7h) will be released early next week.
Note that patching of RHEL 7 will not be addressed by the vendor.