Linux and FreeBSD Kernels TCP Reassembly Denial of Service Vulnerabilities Affecting Cisco Products: August 2018

2018-08-24T21:30:00
ID CISCO-SA-20180824-LINUX-TCP
Type cisco
Reporter Cisco
Modified 2018-11-06T18:09:30

Description

A vulnerability in the Linux Kernel could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists because the affected software uses an inefficient TCP reassembly algorithm. An attacker could exploit this vulnerability by sending TCP packets within ongoing sessions that submit malicious input to a targeted system. A successful exploit could trigger resource-intensive time and calculation calls to the tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions of the software, which could consume excessive CPU resources, resulting in a DoS condition.

A vulnerability in the TCP reassembly algorithm used by FreeBSD could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists because one of the data structures used by the affected software uses an inefficient algorithm to reassemble TCP segments. An attacker could exploit this vulnerability by sending TCP packets that submit malicious input to the targeted system. A successful exploit could cause excessive CPU resources to be utilized by the system, resulting in a DoS condition.

On August 6, 2018, the Vulnerability Coordination team of the National Cyber Security Centre of Finland (NCSC-FI) and the CERT Coordination Center (CERT/CC) disclosed vulnerabilities in the TCP stacks that are used by the Linux and FreeBSD kernels. These vulnerabilities are publicly known as SegmentSmack.

The vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. An attack could be executed by using low transfer rates of TCP packets, unlike typical distributed denial of service (DDoS) attacks.

The vulnerabilities are due to inefficient TCP reassembly algorithms in the TCP stacks that are used by the affected kernels. Linux Kernel Versions 4.9 and later and all supported versions of the FreeBSD kernel are known to be affected by these vulnerabilities.

An attacker could exploit these vulnerabilities by sending a stream of packets that are designed to trigger the issue in an established TCP session with an affected device. A sustained DoS condition requires the attacker to maintain a continuous stream of malicious traffic. Due to the required use of an established session, an attack cannot be performed using spoofed IP addresses.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-tcp ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-tcp"]