A new attack technique called cross-layer attack has been identified, which combines vulnerabilities across multiple network protocol layers to attack the target system. It is estimated that one in every 20 web servers could be vulnerable to a security flaw that exists in the Linux kernel, allowing hackers to perform cross-layer attacks.
The cross-layer attack is possible because the IPv6 flow label generation algorithm, UDP source port generation algorithm, and the IPv4 ID generation algorithm use the same Pseudo-Random Number Generator (PRNG).
- A flaw (CVE-2020-16166) in PRNG allows an attacker to obtain the internal state of any application using that PRNG.
- After obtaining the internal state of the PRNG from one of the OSI layers (network), the security flaw makes it possible to use this information to estimate the random number value in other OSI layers as well.
- Estimating the PRNG value allows attackers to carry out DNS cache poisoning attacks to target Linux systems locally and remotely.
- The security flaw can allow hackers to recognize and track Android- and Linux-based devices. It works even when the browser privacy mode is On or VPN is in use.
- It has been estimated that around 13.4% of the vulnerable web servers are running Ubuntu and 3-5% of servers run on both Ubuntu and a public DNS service, having the necessary pre-conditions required for potential exploitation.
A patch is developed
A security researcher who discovered this security flaw notified the Linux security team in March 2020. After that, they developed a patch based on a stronger PRNG using SipHash to fix the issue.
The latest versions of Linux contain the new PRNG, which is not affected by the security flaw. Therefore, experts recommend keeping all the applications and operating systems patched with the latest updates. In addition, DNS-over-HTTPS can be used to block the attack, if the stub resolver and DNS server support it.