Bug 1601704 (CVE-2018-5390, SegmentSmack)
Summary: | CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, airlied, aquini, bhu, blc, bskeggs, carnil, chadd, conrad.j.allen, cperry, dbaker, dhoward, ewk, fhrbata, fwestpha, gfrankliu, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, igeorgex, itamar, jarodwilson, jeharris, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jshepherd, jstancek, jwboyer, kelly_chen, kernel-maint, kernel-mgr, labbott, lacyc3, lgoncalv, linville, madhavani, matt, mchehab, mcressma, mickygough, midr, mjg59, mlangsdo, mleitner, mvanderw, nmurray, pabeni, plougher, pmatouse, psampaio, rik.theys, rkhan, rmullett, rt-maint, rvrbovsk, sardella, security-response-team, sfowler, shalygin.k, skozina, slawomir, steved, sthangav, sukulkar, trankin, vdronov, williams, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-03-05 14:07:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1603011, 1611364, 1611365, 1611366, 1611368, 1611369, 1611371, 1611372, 1611374, 1611375, 1611376, 1611378, 1611379, 1611380, 1611382, 1611383, 1613054, 1613055 | ||
Bug Blocks: | 1599112, 1612947, 1612948, 1612949, 1612950 |
Description
Sam Fowler
2018-07-17 05:06:02 UTC
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/articles/3553061 This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64, and Red Hat Enterprise Linux 7 for Power 9. Future kernel updates for the respective releases will address this issue. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, but to a lesser degree. As such, the issue severity for RHEL5 is considered Moderate. This is not currently planned to be addressed in future updates of the product due to its life cycle and the issue severity. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1613055] This was fixed for Fedora with the 4.17.11 stable updates. The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are vulnerable". Since only Fedora has kernel 4.x, which is fixed in above comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7? Red Hat maintains different versioning system than upstream. It is incorrect to focus on version number, instead the focus should be on the specific feature or bug/security fix that the later upstream software have. https://access.redhat.com/solutions/2074 Current RHEL release with moderate new kernels are affected. Fixes are backported by Red Hat from upstream and are released as backported version i.e 2.6.32.x or 3.10.x. Continuing Frank's question and Himanchu's answer. RHEL 5.11 was released in 9/2014 while kernel 4.9 was released in 12/2016. So, I can understand how later updates to RHEL 6,7 got the buggy code - but is RHEL 5.x actually affected? The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just want to confirm about this. Thank you for your reply. Bugzilla is not a support tool. Please, open a support case at access.redhat.com if you have any additional questions. Thank you! I see "Red Hat Enterprise Linux 5" was removed from "Affected Products" from this page: https://access.redhat.com/articles/3553061 I assume it will be removed from https://access.redhat.com/security/cve/cve-2018-5390 too. I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 The Fixes mention "BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)" This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384 (In reply to Frank Liu from comment #16) > The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post > says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are > vulnerable". Since only Fedora has kernel 4.x, which is fixed in above > comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7? The network stack was backported to RHEL-7 from the (approx.) version 4.14 upstream Linux kernel, so this flaw was backported too. Parts of the latest network stack were backported to RHEL-6 and -5 also. So the answer to your question is - no, you are not safe, these RHEL versions are vulnerable. RHEL-5 is affected by these flaws by a significantly lesser degree. As such, the flaws severity for RHEL5 is considered Moderate. Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com or email secalert for security-related questions, these systems are monitored and have SLAs. (In reply to Ethan Schorer from comment #18) > So, I can understand how later updates to RHEL 6,7 got the buggy code - but > is RHEL 5.x actually affected? RHEL-5 is affected by these flaws by a significantly lesser degree. Namely, in our tests only a high-speed attack of 1Mpps (packets, not bytes or bits) was able to barely saturate 1 CPU core. As such, the flaws severity for RHEL5 is considered Moderate. Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert for security-related questions, these systems are monitored and have SLAs. (In reply to kelly_chen from comment #19) > The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just > want to confirm about this. Thank you for your reply. Is the kernel in your product a Red Hat's kernel (i.e. RHEL)? If yes, then yes again, it is affected. Namely, in our tests a 30 kpps 1-stream attack fully saturates 1 core of the 2-cores RHEL-6 system. If the kernel in your product is not a Red Hat's kernel, then most probably it is vulnerable, please, confirm this with your kernel vendor. Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert for security-related questions, these systems are monitored and have SLAs. (In reply to Frank Liu from comment #22) > I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 > The Fixes mention > "BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow > a remote denial of service (SegmentSmack)" Yes, exactly, RHSA-2018:2384 is a security advisory and fixed for RHEL-7.5 which fixes SegmentSmack along with L1TF and other vulnerabilities. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2403 https://access.redhat.com/errata/RHSA-2018:2403 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2402 https://access.redhat.com/errata/RHSA-2018:2402 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390 Acknowledgments: Name: Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:2645 https://access.redhat.com/errata/RHSA-2018:2645 This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2018:2789 https://access.redhat.com/errata/RHSA-2018:2789 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2018:2791 https://access.redhat.com/errata/RHSA-2018:2791 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Red Hat Enterprise Linux 7.2 Telco Extended Update Support Via RHSA-2018:2790 https://access.redhat.com/errata/RHSA-2018:2790 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2018:2785 https://access.redhat.com/errata/RHSA-2018:2785 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2018:2776 https://access.redhat.com/errata/RHSA-2018:2776 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Via RHSA-2018:2924 https://access.redhat.com/errata/RHSA-2018:2924 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2018:2933 https://access.redhat.com/errata/RHSA-2018:2933 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948 |