CERT/CC Vulnerability Note VU#641765

Overview

The Linux kernel, versions 3.9+, IP implementation is vulnerable to denial of service conditions with low rates of specially modified packets.

Description

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5391

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.

An attacker may cause a denial of service condition by sending specially crafted IP fragments.

Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.

Impact

An attacker may be able to trigger a denial-of-service condition against the system.

Solution

Apply a patch
Patches are available from OS vendors to address the vulnerability.

If you are unable to apply a patch, see the following mitigations:

Modify Default Configurations
Change the (default) values of net.ipv4/ipv6.ipfrag_high_thresh and net.ipv4/ipv6.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or below.

Example:
sysctl -w net.ipv4.ipfrag_low_thresh=196608 sysctl -w net.ipv4.ipfrag_high_thresh=262144 sysctl -w net.ipv6.ip6frag_low_thresh=196608 sysctl -w net.ipv6.ip6frag_high_thresh=262144

Update:
Further testing shows that these mitigations are not a 100% fix. A significantly strong attack will still result in a denial of service condition.

Revert Commit
Another sufficient mitigation is to revert the commit c2a936600f78aea00d3312ea4b66a79a4619f9b4

Vendor Information

641765

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Arista Networks, Inc. Affected

Check Point Software Technologies Affected

Debian GNU/Linux Affected

Microsoft Affected

Red Hat, Inc. Affected

SUSE Linux Affected

Ubuntu Affected

Broadcom Not Affected

3com Inc Unknown

A10 Networks Unknown

ACCESS Unknown

ADTRAN Unknown

ANTlabs Unknown

ARRIS Unknown

ASP Linux Unknown

AT&T Unknown

AVM GmbH Unknown

Actelis Networks Unknown

Actiontec Unknown

Aerohive Unknown

AhnLab Inc Unknown

AirWatch Unknown

Akamai Technologies, Inc. Unknown

Alcatel-Lucent Enterprise Unknown

Alpine Linux Unknown

Amazon Unknown

Android Open Source Project Unknown

Appgate Network Security Unknown

Apple Unknown

Arch Linux Unknown

Aruba Networks Unknown

AsusTek Computer Inc. Unknown

Atheros Communications Inc. Unknown

Avaya, Inc. Unknown

Barracuda Networks Unknown

Belkin, Inc. Unknown

Bell Canada Enterprises Unknown

BlackBerry Unknown

BlueCat Networks, Inc. Unknown

Brocade Communication Systems Unknown

CA Technologies Unknown

Cambium Networks Unknown

Ceragon Networks Inc Unknown

Cisco Unknown

Comcast Unknown

Command Software Systems Unknown

CoreOS Unknown

Cradlepoint Unknown

D-Link Systems, Inc. Unknown

Dell Unknown

Dell EMC Unknown

Dell SecureWorks Unknown

DesktopBSD Unknown

Deutsche Telekom Unknown

Devicescape Unknown

Digi International Unknown

DragonFly BSD Project Unknown

EfficientIP SAS Unknown

Ericsson Unknown

Espressif Systems Unknown

European Registry for Internet Domains Unknown

Express Logic Unknown

Extreme Networks Unknown

F-Secure Corporation Unknown

F5 Networks, Inc. Unknown

Fedora Project Unknown

Force10 Networks Unknown

Foundry Brocade Unknown

FreeBSD Project Unknown

GNU glibc Unknown

Geexbox Unknown

Gentoo Linux Unknown

Google Unknown

HP Inc. Unknown

HTC Unknown

HardenedBSD Unknown

Hitachi Unknown

Honeywell Unknown

Huawei Technologies Unknown

IBM Corporation (zseries) Unknown

IBM, INC. Unknown

InfoExpress, Inc. Unknown

Infoblox Unknown

Intel Unknown

Internet Systems Consortium Unknown

Internet Systems Consortium - DHCP Unknown

Interniche Technologies, inc. Unknown

Joyent Unknown

Juniper Networks Unknown

Kyocera Communications Unknown

Lancope Unknown

Lantronix Unknown

Lenovo Unknown

Linksys Unknown

Marvell Semiconductors Unknown

McAfee Unknown

MediaTek Unknown

Medtronic Unknown

Men & Mice Unknown

MetaSwitch Unknown

Micro Focus Unknown

Microchip Technology Unknown

MikroTik Unknown

Miredo Unknown

Mitel Networks, Inc. Unknown

NEC Corporation Unknown

NETSCOUT Unknown

NLnet Labs Unknown

NetBSD Unknown

Netgear, Inc. Unknown

Nixu Unknown

Nokia Unknown

Nominum Unknown

OmniTI Unknown

OpenBSD Unknown

OpenConnect Unknown

OpenDNS Unknown

Openwall GNU/*/Linux Unknown

Oracle Corporation Unknown

Paessler Unknown

Peplink Unknown

Philips Electronics Unknown

PowerDNS Unknown

Pulse Secure Unknown

QLogic Unknown

QNX Software Systems Inc. Unknown

QUALCOMM Incorporated Unknown

Quagga Unknown

Quantenna Communications Unknown

Riverbed Technologies Unknown

Roku Unknown

Ruckus Wireless Unknown

Samsung Mobile Unknown

Samsung Semiconductor Inc. Unknown

Secure64 Software Corporation Unknown

Sierra Wireless Unknown

Slackware Linux Inc. Unknown

Snort Unknown

SonicWall Unknown

Sonos Unknown

Sony Corporation Unknown

Sophos, Inc. Unknown

Sourcefire Unknown

Symantec Unknown

Synology Unknown

TP-LINK Unknown

Technicolor Unknown

TippingPoint Technologies Inc. Unknown

Toshiba Commerce Solutions Unknown

TrueOS Unknown

Turbolinux Unknown

Ubiquiti Networks Unknown

Unisys Unknown

VMware Unknown

Wind River Unknown

Xilinx Unknown

Zebra Technologies Unknown

Zephyr Project Unknown

Zyxel Unknown

aep NETWORKS Unknown

dnsmasq Unknown

eero Unknown

m0n0wall Unknown

netsnmp Unknown

pfSense Unknown

View all 165 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	7.8	AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal	6.6	E:U/RL:ND/RC:ND
Environmental	6.6	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=c30f1fc041b74ecdb072dd44f858750414b8b19f

Acknowledgements

Thanks to Juha-Matti Tilli (Aalto University, Department of Communications and Networking / Nokia Bell Labs) for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs:	CVE-2018-5391
Date Public:	2018-08-14
Date First Published:	2018-08-14
Date Last Updated:	2018-10-12 12:31 UTC
Document Revision:	37

Software Engineering Institute

CERT Coordination Center

Linux kernel IP fragment re-assembly vulnerable to denial of service

Vulnerability Note VU#641765