Two Linux bugs let remote attackers knock out network devices with low-traffic attacks

Linux distributions have flagged patches for two bugs in the Linux kernel that could allow remote attackers to trigger a denial of service (DoS) on machine. 

Ubuntu, RedHat and other maintainers of Linux operating systems are releasing patches for the the bugs. One is called “FragmentSmack” since the DoS can be triggered by the way the Linux kernel reassembles fragmented Internet Protocol version 4 (IPv4) and IPv6 packets. 

The US CERT Coordination Center posted an alert about the security issue, tagged with the ID CVE-2018-5391, which affects systems with versions 3.9 and above of the Linux kernel.   

The kernel bug allows an attacker to send a low rate of specially crafted IP packet fragments that can trigger excessive RAM consumption that saturates the CPU.    

It’s possible that many network, computer and mobile vendors are affected and follows the disclosure of a related kernel bug that called SegmentSmack, which allowed an attacker to cause a DoS using a low rate of TCP packets.  

RedHat warned last week that SegmentSmack, in a “worst case scenario”, allowed an attacker stall a vulnerable host or device with less than 2,000 packets per second (2 kpps) of attack traffic, which is considered a low-speed attack. 

RedHat has rated both SegmentSmack and FragmentSmack as “high severity” issues. It has provided a mitigation that could neutralize a high-speed attack of around 500 kpps.  

A remote attacker could use FragmentSmack to trigger exploit the kernel’s fragment reassembly algorithm by sending specially crafted packets. 

A 30 apps attack on a physical system running on a 1.7GHz Intel Xeon CPI with 32 cores, for example, could look like a “complete saturation of a core”, which would stall a system. 

Both Smack attacks stem from the Linux kernel's network stack and all of Red Hat’s, including RedHat Enterprise Linux (RHEL) 6, RHEL 7, RHEL 7 for ARM and IBM POWER, with “moderately new” versions of the Linux kernel versions affected, with the exception of RHEL-5 where maintainers found that only a “high-speed” attack of 1,000 packets per second (1Mpps) could “barely saturate” a single CPU core.   

UK-based security researcher Kevin Beaumont has provided two commands that can be used to achieve something similar to Google’s undocumented fixes for Android


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleLinuxAndroiddenial of servicelinux kernelredhat

More about ARMGoogleIBMIntelLinuxRedHatRed HatUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts