Bug 1601704 (CVE-2018-5390, SegmentSmack)

Summary: CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, airlied, aquini, bhu, blc, bskeggs, carnil, chadd, conrad.j.allen, cperry, dbaker, dhoward, ewk, fhrbata, fwestpha, gfrankliu, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, igeorgex, itamar, jarodwilson, jeharris, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jshepherd, jstancek, jwboyer, kelly_chen, kernel-maint, kernel-mgr, labbott, lacyc3, lgoncalv, linville, madhavani, matt, mchehab, mcressma, mickygough, midr, mjg59, mlangsdo, mleitner, mvanderw, nmurray, pabeni, plougher, pmatouse, psampaio, rik.theys, rkhan, rmullett, rt-maint, rvrbovsk, sardella, security-response-team, sfowler, shalygin.k, skozina, slawomir, steved, sthangav, sukulkar, trankin, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-05 14:07:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1603011, 1611364, 1611365, 1611366, 1611368, 1611369, 1611371, 1611372, 1611374, 1611375, 1611376, 1611378, 1611379, 1611380, 1611382, 1611383, 1613054, 1613055    
Bug Blocks: 1599112, 1612947, 1612948, 1612949, 1612950    

Description Sam Fowler 2018-07-17 05:06:02 UTC
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.

External References:

https://access.redhat.com/articles/3553061

https://www.kb.cert.org/vuls/id/962459

https://www.spinics.net/lists/netdev/msg514742.html

An upstream fix is a merge commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

consisting of the following commits:

commit 72cd43ba64fc172a443410ce01645895850844c8
commit f4a3313d8e2ca9fd8d8f45e40a2903ba782607e7
commit 3d4bf93ac12003f9b8e1e2de37fe27983deebdcf
commit 8541b21e781a22dce52a74fef0b9bed00404a1cd
commit 58152ecbbcc6a0ce7fddd5bf5f6ee535834ece0c

Comment 12 Eric Christensen 2018-08-06 18:02:50 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/articles/3553061

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64, and Red Hat Enterprise Linux 7 for Power 9. Future kernel updates for the respective releases will address this issue.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, but to a lesser degree. As such, the issue severity for RHEL5 is considered Moderate. This is not currently planned to be addressed in future updates of the product due to its life cycle and the issue severity. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 13 Vladis Dronov 2018-08-06 21:33:37 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1613055]

Comment 15 Justin M. Forbes 2018-08-08 09:43:29 UTC
This was fixed for Fedora with the 4.17.11 stable updates.

Comment 16 Frank Liu 2018-08-09 20:46:31 UTC
The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are vulnerable". Since only Fedora has kernel 4.x, which is fixed in above comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7?

Comment 17 Himanshu Madhavani 2018-08-10 04:56:06 UTC
Red Hat maintains different versioning system than upstream. It is incorrect to focus on version number, instead the focus should be on the specific feature or bug/security fix that the later upstream software have.

https://access.redhat.com/solutions/2074

Current RHEL release with moderate new kernels are affected. Fixes are backported by Red Hat from upstream and are released as backported version i.e 2.6.32.x or 3.10.x.

Comment 18 Ethan Schorer 2018-08-12 13:09:21 UTC
Continuing Frank's question and Himanchu's answer.
RHEL 5.11 was released in 9/2014 while kernel 4.9 was released in 12/2016.

So, I can understand how later updates to RHEL 6,7 got the buggy code - but is RHEL 5.x actually affected?

Comment 19 kelly_chen 2018-08-13 09:25:43 UTC
The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just want to confirm about this. Thank you for your reply.

Comment 20 Adam Mariš 2018-08-14 08:14:36 UTC
Bugzilla is not a support tool. Please, open a support case at access.redhat.com if you have any additional questions.

Thank you!

Comment 21 Frank Liu 2018-08-14 17:03:39 UTC
I see "Red Hat Enterprise Linux 5" was removed from "Affected Products" from this page: https://access.redhat.com/articles/3553061
I assume it will be removed from https://access.redhat.com/security/cve/cve-2018-5390 too.

Comment 22 Frank Liu 2018-08-14 18:08:43 UTC
I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 
The Fixes mention 
"BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)"

Comment 23 errata-xmlrpc 2018-08-14 18:45:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384

Comment 24 Vladis Dronov 2018-08-14 19:46:56 UTC
(In reply to Frank Liu from comment #16)
> The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post
> says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are
> vulnerable". Since only Fedora has kernel 4.x, which is fixed in above
> comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7?

The network stack was backported to RHEL-7 from the (approx.) version 4.14 upstream Linux kernel, so this flaw was backported too. Parts of the latest network stack were backported to RHEL-6 and -5 also. So the answer to your question is - no, you are not safe, these RHEL versions are vulnerable.

RHEL-5 is affected by these flaws by a significantly lesser degree. As such, the flaws severity for RHEL5 is considered Moderate.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com or email secalert for security-related questions, these systems are monitored and have SLAs.

Comment 25 Vladis Dronov 2018-08-14 19:49:59 UTC
(In reply to Ethan Schorer from comment #18)
> So, I can understand how later updates to RHEL 6,7 got the buggy code - but
> is RHEL 5.x actually affected?

RHEL-5 is affected by these flaws by a significantly lesser degree. Namely, in our tests only a high-speed attack of 1Mpps (packets, not bytes or bits) was able to barely saturate 1 CPU core. As such, the flaws severity for RHEL5 is considered Moderate.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert for security-related questions, these systems are monitored and have SLAs.

Comment 26 Vladis Dronov 2018-08-14 19:54:35 UTC
(In reply to kelly_chen from comment #19)
> The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just
> want to confirm about this. Thank you for your reply.

Is the kernel in your product a Red Hat's kernel (i.e. RHEL)? If yes, then yes again, it is affected. Namely, in our tests a 30 kpps 1-stream attack fully saturates 1 core of the 2-cores RHEL-6 system.

If the kernel in your product is not a Red Hat's kernel, then most probably it is vulnerable, please, confirm this with your kernel vendor.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert for security-related questions, these systems are monitored and have SLAs.

Comment 27 Vladis Dronov 2018-08-14 19:58:00 UTC
(In reply to Frank Liu from comment #22)
> I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 
> The Fixes mention 
> "BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow
> a remote denial of service (SegmentSmack)"

Yes, exactly, RHSA-2018:2384 is a security advisory and fixed for RHEL-7.5 which fixes SegmentSmack along with L1TF and other vulnerabilities.

Comment 28 errata-xmlrpc 2018-08-14 20:24:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395

Comment 29 errata-xmlrpc 2018-08-15 10:20:15 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2403 https://access.redhat.com/errata/RHSA-2018:2403

Comment 30 errata-xmlrpc 2018-08-16 05:20:52 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2402 https://access.redhat.com/errata/RHSA-2018:2402

Comment 31 Petr Matousek 2018-08-16 10:15:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390

Comment 32 Ján Rusnačko 2018-08-17 10:05:17 UTC
Acknowledgments:

Name: Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs)

Comment 33 errata-xmlrpc 2018-09-04 14:01:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2645 https://access.redhat.com/errata/RHSA-2018:2645

Comment 34 errata-xmlrpc 2018-09-25 20:21:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:2789 https://access.redhat.com/errata/RHSA-2018:2789

Comment 35 errata-xmlrpc 2018-09-25 20:23:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2791 https://access.redhat.com/errata/RHSA-2018:2791

Comment 36 errata-xmlrpc 2018-09-25 20:37:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:2790 https://access.redhat.com/errata/RHSA-2018:2790

Comment 37 errata-xmlrpc 2018-09-25 20:43:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:2785 https://access.redhat.com/errata/RHSA-2018:2785

Comment 38 errata-xmlrpc 2018-09-25 20:44:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:2776 https://access.redhat.com/errata/RHSA-2018:2776

Comment 39 errata-xmlrpc 2018-10-16 14:49:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2924 https://access.redhat.com/errata/RHSA-2018:2924

Comment 40 errata-xmlrpc 2018-10-16 18:55:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2933 https://access.redhat.com/errata/RHSA-2018:2933

Comment 41 errata-xmlrpc 2018-10-30 09:03:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948