Cyber security researchers report that Linux encryption permits DNS cache poisoning. Weaknesses in entropy used in Linux pseudo random number generation (PRNG) could allow attackers to predict the output keys and break into the encryption process by using a forward attack method (see Gutterman, 2020). Cross-layer attacks where an attacker launches coordinate simultaneous attacks at different network layers has also been linked to weaknesses in PRNG making it possible for the attacker to predict random number values from different OSI layers, effectively breaking encryption associated with the data in transit.
Amit Klein (see Klein, 2020) recently investigated the PRNG issue associated with the Linux and Android kernels and found that it was possible to successfully mount a DNS cache poisoning attack against Linux platforms. Klein states that his attack method allowed the team at Cornell University to collect TCP/IPv6 flow label values and TCP/IPv4 ID values. By doing so Klien was able to reconstruct the internal PRNG state being used by the Linux OS and predict the outbound DNS query.
Klein’s findings are very worrying, but disclosure of his findings to Linux OS providers in March 2020 has at least resulted in the issuance of a back-porting PRNG patch for the latest Linux distributions (see Larabel, 2020). However, it is still possible that Internet users browsing can be attacked using a DNS poisoning attack if Internet facing services still have not been patched. So it is advised that this patch is applied as soon as possible.
