Last Updated: 2018-08-08 03:11:33 UTC
by Johannes Ullrich (Version: 1)
"SegmentSmack" is yet another branded vulnerability, also known as CVE-2018–5390. It hit the "news" yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights:
- Linux Kernel 4.9 is vulnerable. Older versions are not vulnerable. However, some Linux distributions like RedHat ES 6 and 7 include the vulnerable code as they backported some of the 4.9 networking code into their kernels
- An attacker should not be able to exploit this vulnerability using a spoofed IP address. The attacker needs to first establish a TCP connection which is very difficult with a spoofed address.
- It is not known how much traffic the attacker will have to send. But likely not more than a user would send in a normal TCP connection.
- The attack can be launched against any exposed TCP service (Web, Mail, DNS...)
- The vulnerable functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), are used to deal with reassembling TCP segments. This likely implies that an exploit would use many out of order or otherwise abnormal packets. But this is just a guess at this point.
- If you are vulnerable, your best bet is to update. There is likely not much else you can do (e.g. firewall rules)
You can find more details here: https://www.kb.cert.org/vuls/id/962459