A vulnerability has been identified in the Linux Kernel (version 4.9+) which is tracked in the CVE-2018-5390 advisory. It lists several conditions that allow criminals to modify packets leading to the coordination of DoS (Denial of service) attacks.
CVE-2018-5390 Advisory Tracks DoS Attack Linux Kernel Vulnerability
An email message, posted by Juha-Matti Tilli reported yet another security related issue in the Linux Kernel. The CVE-2018-5390 advisory is a newly published security bulletin which gives details upon a Linux Kernel vulnerability. The document shows that versions 4.9+ can be affected by specific service conditions that can lead to a DoS (Denial of Service) attacks. The exact nature of the issue is related to a modification of behaviour by the users. The kernel can be forced into making calls to two functions for every incoming packet:
- tcp_collapse_ofo_queue() — This routine collapses an out-of-order queue whenever the memory quota for the receive queue is full to make space for the arrived data segment. This is used for buffer control.
- tcp_prune_ofo_queue() — This is a prune function for the network packets. It is used during the queue operations.
Every incoming packet can be modified into going through these two functions. This can lead to a behaviour pattern leading to a Denial of service possibility. The attackers can induce such conditions by sending out modified packets within the ongoing TCP network sessions. The analysis shows that maintaining this state requires a continuous two-way TCP sessions via a reachable open port on the target machine. This means that the attacks can only be performed via real IP addresses, spoofed addresses cannot be used.
At the time of writing this article the device vendors have not published any patches. Once they are ready the appropriate bulletins and updates will be issued both to end users and device owners. A patch series is available which implements a fix to the problem by limiting the cpu cycles to a certain limit which in the end renders the bug non-critical. In the future the developers might proceed with further fixes such as disconnecting or black-holing proven malicious flows.
Update! It appears that the the necessary updates were included in the Linux Kernel before the security announcement were made. They are found in the 4.9.116 and 4.17.11 kernel releases.
By applying the latest Linux Kernel update users will be able to protect themselves from incoming attacks.