A denial-of-service vulnerability typical for older versions of Windows has resurfaced in the operating system. The security flaw has been dubbed FragmentSmack (identical to SegmentSmack in Linux) and has been given the CVE-2018-5391 identifier. As explained in Microsoft’s advisory, “an attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments”.
As a result of the DoS, the targeted system would become unresponsive with 100% utilization. In other words, the CPU reaches maximum utilization level and renders the operating system unresponsive. Nonetheless, the system would be able to recover the moment the attack ends.
More about FragmentSmack (CVE-2018-5391)
CVE-2018-5391 affects all versions of Windows, from Windows 7 to 10 (including 8.1 RT), Server 2008, 2012, 2016, as well as Core Installations that haven’t applied the security updates released in September 2018 Patch Tuesday.
The flaw was given the FragmentSmack nickname because it responds to IP fragmentation. Shortly explained, IP fragmentation is a process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. It should be noted that IP fragmentation attacks are a common form of DoS attacks, where the attacker overbears a network by exploiting datagram fragmentation mechanisms.
As for the FragmentSmack attack in particular, it is a TCP fragmentation type of attack, also known as a Teardrop attack. This attack is known to target TCP/IP reassembly mechanisms, averting them from putting together fragmented data packets. As a result, the data packets overlap and quickly overwhelm the victim’s servers, causing them to fail, Incapsula researchers explain.
It should also be noted that these attacks are due to a Windows vulnerability typical for older versions of the operating system, such as Windows 3.1, 95 and NT. This loophole was believed to be closed with specific patches. However, a vulnerability reappeared in Windows 7 and Windows Vista, and Teardrop attacks were once again made possible.
How to Mitigate FragmentSmack (CVE-2018-5391)
In case it is not possible to apply the security patches immediately, Microsoft says that the following commands should be used to disable packet reassembly:
Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0
In fact, the same vulnerability was first reported in Linux Kernel version 4.9+. Dubbed SegmentSmack and tracked as CVE-2018-5390, the vulnerability could lead to several conditions that allowed criminals to modify packets leading to the coordination of DoS (Denial of service) attacks.