One (Thread) Can Keep a (PRNG) Secret, but not Two
This work demonstrates the first cryptanalytic attack leveraging race conditions, impacting Apple users by enabling off-path manipulation of network traffic.
The authors present a novel attack exploiting a race condition in XNU's IPv6 Fragment ID generation to predict fragment IDs, enabling spoofing attacks that can modify UDP and TCP traffic. The attack was assigned CVE-2024-27823 and patched by Apple.
We present a novel, practical attack on the IPv6 Fragment ID generation algorithm of XNU, which is the kernel used by Apple products such as macOS and iOS. This attack exploits a race-condition vulnerability in the algorithm's pseudorandom number generator (PRNG) to cryptanalytically break, learn the internal state of the generator, and consequently predict fragment IDs, which, in turn, facilitates an IPv6 fragment spoofing attack. As far as we know, this is the first cryptanalytic attack that is based on exploiting race-conditions. With fragment spoofing, it is possible to partially manipulate UDP datagrams and TCP segments. We showcase a new type of attack on NFS (UDP) where an off-path attacker modifies a file as it is written, and an attack on HTTP (TCP) where an off-path attacker modifies an HTTP request. Apple assigned this vulnerability the CVE identifier CVE-2024-27823 and patched all its XNU-based products against the attack.