What Do I Need To Know about "SegmentSmack"

Published: 2018-08-08
Last Updated: 2018-08-08 03:11:33 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

"SegmentSmack" is yet another branded vulnerability, also known as CVE-2018–5390. It hit the "news" yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights:

  • Linux Kernel 4.9 is vulnerable. Older versions are not vulnerable. However, some Linux distributions like RedHat ES 6 and 7 include the vulnerable code as they backported some of the 4.9 networking code into their kernels
  • An attacker should not be able to exploit this vulnerability using a spoofed IP address. The attacker needs to first establish a TCP connection which is very difficult with a spoofed address.
  • It is not known how much traffic the attacker will have to send. But likely not more than a user would send in a normal TCP connection.
  • The attack can be launched against any exposed TCP service (Web, Mail, DNS...)
  • The vulnerable functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), are used to deal with reassembling TCP segments. This likely implies that an exploit would use many out of order or otherwise abnormal packets. But this is just a guess at this point.
  • If you are vulnerable, your best bet is to update. There is likely not much else you can do (e.g. firewall rules)

You can find more details here: https://www.kb.cert.org/vuls/id/962459

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

3 comment(s)


The same vulnerability is also in FreeBSD and potentially other OSs also. https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc
Could Windows OSs have this vulnerability or is this one contained to Linux?
Is it possible to detect Segment and/or Fragment Smack using Snort?

Diary Archives