A vulnerability has been identified in the Linux Kernel (version 4.9+) which is tracked in the CVE-2018-5390 advisory. It lists several conditions that allow criminals to modify packets leading to the coordination of DoS (Denial of service) attacks.
CVE-2018-5390 Advisory Tracks DoS Attack Linux Kernel Vulnerability
An email message, posted by Juha-Matti Tilli reported yet another security related issue in the Linux Kernel. The CVE-2018-5390 advisory is a newly published security bulletin which gives details upon a Linux Kernel vulnerability. The document shows that versions 4.9+ can be affected by specific service conditions that can lead to a DoS (Denial of Service) attacks. The exact nature of the issue is related to a modification of behaviour by the users. The kernel can be forced into making calls to two functions for every incoming packet:
- tcp_collapse_ofo_queue() — This routine collapses an out-of-order queue whenever the memory quota for the receive queue is full to make space for the arrived data segment. This is used for buffer control.
- tcp_prune_ofo_queue() — This is a prune function for the network packets. It is used during the queue operations.
Every incoming packet can be modified into going through these two functions. This can lead to a behaviour pattern leading to a Denial of service possibility. The attackers can induce such conditions by sending out modified packets within the ongoing TCP network sessions. The analysis shows that maintaining this state requires a continuous two-way TCP sessions via a reachable open port on the target machine. This means that the attacks can only be performed via real IP addresses, spoofed addresses cannot be used.
At the time of writing this article the device vendors have not published any patches. Once they are ready the appropriate bulletins and updates will be issued both to end users and device owners. A patch series is available which implements a fix to the problem by limiting the cpu cycles to a certain limit which in the end renders the bug non-critical. In the future the developers might proceed with further fixes such as disconnecting or black-holing proven malicious flows.
Update! It appears that the the necessary updates were included in the Linux Kernel before the security announcement were made. They are found in the 4.9.116 and 4.17.11 kernel releases.
By applying the latest Linux Kernel update users will be able to protect themselves from incoming attacks.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
Our server running the kernel version “4.4.0-133-generic” / Ubuntu 14.04.5 LTS Operating system.
4.4.0-133-generic – is the latest kernel update available in the official repositories.
1) I just wanted to know if this vulnerability is only affected to 4.9.x kernel?
2) Any action required on the 4.4.x kernel?
3) Is this kernel is not impacted with this vulnerability.
Hello Nixon,
So far the information that we have found about the matter is that the bug impacts only later releases of the Linux Kernel release. As far as we know the 4.4.x family is not affected. However it would be best to ask the Ubuntu security team for confirmation.