Multihomed Linux Devices Flaw Allows Spoof of Internal Communication

A critical vulnerability has been discovered in multihomed Linux devices. It allows attackers to spoof and inject packets into internal communication streams via an external or public interface.

Security researchers uncovered the flaw during several assessments, and it has been successfully exploited on multiple occasions.

The issue stems from interactions between multihomed Linux devices and common firewall configurations using Linux’s stateful firewall (conntrack module).

The conntrack module, which tracks connections for the stateful firewall, does not account for the interface on which a connection was established.

As a result, a typical firewall rule allowing established and related connections applies to all connections, not just those directed to external hosts.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)

This enables an attacker on the external interface to spoof and inject packets into internal traffic flows if they share the same IP address and ports as an established internal connection.

Wide Range Of Devices Potentially Affected

The vulnerability applies to any multihomed Linux device connected to multiple networks. This includes not only obvious targets like NAT routers, but also Linux hosts running virtual machines, VPN servers, embedded devices, automotive systems, and drones.

Any Linux system with multiple interfaces that lacks anti-spoofing firewall rules is likely vulnerable.

Researchers have successfully exploited this vulnerability to:

• Inject data into a Lidar stream on an autonomous vehicle
• Spoof NAT-PMP/PCP packets to create dynamic port mappings on a NAT router
• Spoof mDNS responses
• Inject packets into communications between two internal hosts behind a NAT router

A video released by the researchers demonstrates corrupting Lidar data by injecting packets into the stream.

There are some limitations to exploiting the vulnerability:

• The attacker must be able to route internal traffic, typically from private IP ranges, to the external interface
• Some blind injection or brute-forcing of parameters like ports and sequence numbers is usually required
• Injecting into TCP connections is more challenging than UDP due to sequence numbers

However, despite these limitations, the researchers have successfully exploited the flaw to spoof critical data streams in several scenarios.

To mitigate the vulnerability, the researchers recommend:

1. Implementing anti-spoofing firewall rules to drop packets with spoofed internal IP addresses on external interfaces
2. Using the SO_BINDTODEVICE socket option to restrict services to only receive packets on intended internal interfaces

They have also released an LD_PRELOAD wrapper tool to help bind sockets to specific interfaces, even for external software where source code is unavailable.

Linux administrators are advised to review their firewall configurations and implement the recommended mitigations to protect multihomed devices from this packet spoofing and injection vulnerability.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here