Bug 1601704 - (CVE-2018-5390, SegmentSmack) CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180806,repo...
: Security
Depends On: 1603011 1611364 1611365 1611366 1611369 1611371 1611372 1611374 1611375 1611379 1611380 1611382 1611383 1613054 1611368 1611376 1611378 1613055
Blocks: 1599112 1612947 1612948 1612949 1612950
  Show dependency treegraph
 
Reported: 2018-07-17 01:06 EDT by Sam Fowler
Modified: 2018-08-18 15:01 EDT (History)
78 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2384 None None None 2018-08-14 14:45 EDT
Red Hat Product Errata RHSA-2018:2395 None None None 2018-08-14 16:25 EDT
Red Hat Product Errata RHSA-2018:2402 None None None 2018-08-16 01:21 EDT
Red Hat Product Errata RHSA-2018:2403 None None None 2018-08-15 06:20 EDT

  None (edit)
Description Sam Fowler 2018-07-17 01:06:02 EDT
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.

External References:

https://access.redhat.com/articles/3553061

https://www.kb.cert.org/vuls/id/962459

https://www.spinics.net/lists/netdev/msg514742.html

An upstream fix is a merge commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

consisting of the following commits:

commit 72cd43ba64fc172a443410ce01645895850844c8
commit f4a3313d8e2ca9fd8d8f45e40a2903ba782607e7
commit 3d4bf93ac12003f9b8e1e2de37fe27983deebdcf
commit 8541b21e781a22dce52a74fef0b9bed00404a1cd
commit 58152ecbbcc6a0ce7fddd5bf5f6ee535834ece0c
Comment 12 Eric Christensen 2018-08-06 14:02:50 EDT
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/articles/3553061

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64, and Red Hat Enterprise Linux 7 for Power 9. Future kernel updates for the respective releases will address this issue.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, but to a lesser degree. As such, the issue severity for RHEL5 is considered Moderate. This is not currently planned to be addressed in future updates of the product due to its life cycle and the issue severity. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 13 Vladis Dronov 2018-08-06 17:33:37 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1613055]
Comment 15 Justin M. Forbes 2018-08-08 05:43:29 EDT
This was fixed for Fedora with the 4.17.11 stable updates.
Comment 16 Frank Liu 2018-08-09 16:46:31 EDT
The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are vulnerable". Since only Fedora has kernel 4.x, which is fixed in above comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7?
Comment 17 Himanshu Madhavani 2018-08-10 00:56:06 EDT
Red Hat maintains different versioning system than upstream. It is incorrect to focus on version number, instead the focus should be on the specific feature or bug/security fix that the later upstream software have.

https://access.redhat.com/solutions/2074

Current RHEL release with moderate new kernels are affected. Fixes are backported by Red Hat from upstream and are released as backported version i.e 2.6.32.x or 3.10.x.
Comment 18 Ethan Schorer 2018-08-12 09:09:21 EDT
Continuing Frank's question and Himanchu's answer.
RHEL 5.11 was released in 9/2014 while kernel 4.9 was released in 12/2016.

So, I can understand how later updates to RHEL 6,7 got the buggy code - but is RHEL 5.x actually affected?
Comment 19 kelly_chen 2018-08-13 05:25:43 EDT
The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just want to confirm about this. Thank you for your reply.
Comment 20 Adam Mariš 2018-08-14 04:14:36 EDT
Bugzilla is not a support tool. Please, open a support case at access.redhat.com if you have any additional questions.

Thank you!
Comment 21 Frank Liu 2018-08-14 13:03:39 EDT
I see "Red Hat Enterprise Linux 5" was removed from "Affected Products" from this page: https://access.redhat.com/articles/3553061
I assume it will be removed from https://access.redhat.com/security/cve/cve-2018-5390 too.
Comment 22 Frank Liu 2018-08-14 14:08:43 EDT
I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 
The Fixes mention 
"BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)"
Comment 23 errata-xmlrpc 2018-08-14 14:45:06 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384
Comment 24 Vladis Dronov 2018-08-14 15:46:56 EDT
(In reply to Frank Liu from comment #16)
> The link https://www.kb.cert.org/vuls/id/962459 mentioned in the first post
> says "The Linux kernel versions 4.9+ and supported versions of FreeBSD are
> vulnerable". Since only Fedora has kernel 4.x, which is fixed in above
> comment 15, are we safe with Red Hat Enterprise Linux 5, 6, 7?

The network stack was backported to RHEL-7 from the (approx.) version 4.14 upstream Linux kernel, so this flaw was backported too. Parts of the latest network stack were backported to RHEL-6 and -5 also. So the answer to your question is - no, you are not safe, these RHEL versions are vulnerable.

RHEL-5 is affected by these flaws by a significantly lesser degree. As such, the flaws severity for RHEL5 is considered Moderate.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com or email secalert@redhat.com for security-related questions, these systems are monitored and have SLAs.
Comment 25 Vladis Dronov 2018-08-14 15:49:59 EDT
(In reply to Ethan Schorer from comment #18)
> So, I can understand how later updates to RHEL 6,7 got the buggy code - but
> is RHEL 5.x actually affected?

RHEL-5 is affected by these flaws by a significantly lesser degree. Namely, in our tests only a high-speed attack of 1Mpps (packets, not bytes or bits) was able to barely saturate 1 CPU core. As such, the flaws severity for RHEL5 is considered Moderate.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert@redhat.com for security-related questions, these systems are monitored and have SLAs.
Comment 26 Vladis Dronov 2018-08-14 15:54:35 EDT
(In reply to kelly_chen from comment #19)
> The kernel in our product is 2.6.32, is it affected by CVE-2018-5390? just
> want to confirm about this. Thank you for your reply.

Is the kernel in your product a Red Hat's kernel (i.e. RHEL)? If yes, then yes again, it is affected. Namely, in our tests a 30 kpps 1-stream attack fully saturates 1 core of the 2-cores RHEL-6 system.

If the kernel in your product is not a Red Hat's kernel, then most probably it is vulnerable, please, confirm this with your kernel vendor.

Please, also note, this Bugzilla is not a support tool and does not have SLAs for replies. Please, open a support ticket at Red Hat Portal access.redhat.com/support or email secalert@redhat.com for security-related questions, these systems are monitored and have SLAs.
Comment 27 Vladis Dronov 2018-08-14 15:58:00 EDT
(In reply to Frank Liu from comment #22)
> I see new kernel is released https://access.redhat.com/errata/RHSA-2018:2384 
> The Fixes mention 
> "BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow
> a remote denial of service (SegmentSmack)"

Yes, exactly, RHSA-2018:2384 is a security advisory and fixed for RHEL-7.5 which fixes SegmentSmack along with L1TF and other vulnerabilities.
Comment 28 errata-xmlrpc 2018-08-14 16:24:44 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395
Comment 29 errata-xmlrpc 2018-08-15 06:20:15 EDT
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2403 https://access.redhat.com/errata/RHSA-2018:2403
Comment 30 errata-xmlrpc 2018-08-16 01:20:52 EDT
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2402 https://access.redhat.com/errata/RHSA-2018:2402
Comment 31 Petr Matousek 2018-08-16 06:15:00 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390
Comment 32 Ján Rusnačko 2018-08-17 06:05:17 EDT
Acknowledgments:

Name: Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs)

Note You need to log in before you can comment on or make changes to this bug.