reward decided
$7,500
Google comment The final version of the research paper with the title "You Can Rand but You Can't Hide: A Holistic Security Analysis of Google Fuchsia's (and gVisor's) Network Stack" was published at the NDSS 2025 symposium. The following corresponding CVEs were issued: CVE-2024-10026, CVE-2024-10603, and CVE-2024-10604.
Summary: Vulnerabilities in the algorithms used by Fuchsia/gVisor to populate network protocol header fields, specifically the TCP ISN, TCP timestamp, TCP and UDP source ports, and IPv4/IPv6 fragment ID
Product: Fuchsia
URL: https://cs.opensource.google/fuchsia/fuchsia
Vulnerability type: Information Leak
Dear Google Fuchsia security Team
This is Amit Klein, a faculty member of the Hebrew University School of Computer Science and Engineering. I would like to report several security vulnerabilities in gVisor's network stack that we (Inon Kaplan - a PhD candidate in the Hebrew University, Ron Even - a BSc graduate from Bar Ilan University, and yours truly) found during our research. FYI, in parallel we are notifying the gVisor team about our findings, and we are also submitting this manuscript to a conference which will take place in early 2025.
The full report is attached as a PDF file.
Some highlights:
We report multiple vulnerabilities in the algorithms used by Fuchsia/gVisor to populate network protocol header fields, specifically the TCP initial sequence number, TCP timestamp, TCP and UDP source ports, and IPv4/IPv6 fragment ID fields. Our attacks result in the exposure of a PRNG seed and a hashing key used to generate the above fields. This enables an attacker to predict future values of the fields, which facilitates several network attacks.
The paper focuses mostly on device tracking (against Fuchsia), but other attacks are also possible when the PRNG seed and the HashIV key are exposed:
Our main results are explained in sections III-VI of the paper. Section VII discusses our experiments with our PoC server and several Fuchsia devices over multiple networks. Section VIII discusses root causes and provides recommendations.
We also note that the Fuchsia NetStack3 implementation of TCP/UDP source port selection algorithm is vulnerable to a device tracking attack, as explained in Appendix A. NetStack3 is presently not the default stack in Fuchsia. The relevant file is https://cs.opensource.google/fuchsia/fuchsia/+/main:src/connectivity/network/netstack3/core/src/transport/tcp/socket/mod.rs
For your convenience, here is a list of relevant source code locations:
We look forward to helping you address the vulnerabilities above in a timely manner. We can provide access to our PoC server if required. While we encourage you to provide a fix/patch ASAP, we do kindly ask you to keep the technical information and the nature of the attacks (except their attribution to us) confidential until we disclose them in a coordinated manner.
The attacks described in the paper can be mounted remotely, i.e. while a browser running in Fuchsia consumes an attacker web page.
Our main scenario is a device tracking attack, wherein colluding (but unrelated, e.g. using no shared DNS/IP infrastructure) websites can track a Fuchsia device across networks, across time, across browser modes (regular/privacy), and across time. As a by product, our attacks also reveal the internal (private) IPv4 address of the device, even when it's behind a NAT.
We also describe how to predict UDP source ports, TCP source ports, TCP initial sequence numbers, and IP IDs. All these can be used subsequently for network attacks such as injecting TCP data to an existing connection.