Two Linux bugs let remote attackers knock out network devices with low-traffic attacks

Linux distributions have flagged patches for two bugs in the Linux kernel that could allow remote attackers to trigger a denial of service (DoS) on machine. 

Ubuntu, RedHat and other maintainers of Linux operating systems are releasing patches for the the bugs. One is called “FragmentSmack” since the DoS can be triggered by the way the Linux kernel reassembles fragmented Internet Protocol version 4 (IPv4) and IPv6 packets. 

The US CERT Coordination Center posted an alert about the security issue, tagged with the ID CVE-2018-5391, which affects systems with versions 3.9 and above of the Linux kernel.   

The kernel bug allows an attacker to send a low rate of specially crafted IP packet fragments that can trigger excessive RAM consumption that saturates the CPU.    

It’s possible that many network, computer and mobile vendors are affected and follows the disclosure of a related kernel bug that called SegmentSmack, which allowed an attacker to cause a DoS using a low rate of TCP packets.  

RedHat warned last week that SegmentSmack, in a “worst case scenario”, allowed an attacker stall a vulnerable host or device with less than 2,000 packets per second (2 kpps) of attack traffic, which is considered a low-speed attack. 

RedHat has rated both SegmentSmack and FragmentSmack as “high severity” issues. It has provided a mitigation that could neutralize a high-speed attack of around 500 kpps.  

A remote attacker could use FragmentSmack to trigger exploit the kernel’s fragment reassembly algorithm by sending specially crafted packets. 

A 30 apps attack on a physical system running on a 1.7GHz Intel Xeon CPI with 32 cores, for example, could look like a “complete saturation of a core”, which would stall a system. 

Both Smack attacks stem from the Linux kernel's network stack and all of Red Hat’s, including RedHat Enterprise Linux (RHEL) 6, RHEL 7, RHEL 7 for ARM and IBM POWER, with “moderately new” versions of the Linux kernel versions affected, with the exception of RHEL-5 where maintainers found that only a “high-speed” attack of 1,000 packets per second (1Mpps) could “barely saturate” a single CPU core.   

UK-based security researcher Kevin Beaumont has provided two commands that can be used to achieve something similar to Google’s undocumented fixes for Android.