SegmentSmack and FragmentSmack: IP fragments and TCP segments with random offsets may cause a remote denial of service [CVE-2018-5390, CVE-2018-5391]
Table of Contents
Overview
Two security flaws named SegmentSmack and FragmentSmack were recently found in the Linux kernel.
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system with relatively small bandwidth of the incoming network traffic. In a worst case scenario, an attacker can stall an affected host or device with less than 2 kpps of an attack traffic. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
A result of the attack with 4 streams can look like a complete saturation of 4 CPU cores and delays in a network packets processing:
$ top
%Cpu25 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.5 si, 0.0 st
%Cpu26 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st
%Cpu28 : 0.0 us, 0.3 sy, 0.0 ni, 0.7 id, 0.0 wa, 0.0 hi, 99.0 si, 0.0 st
%Cpu30 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
141 root 20 0 0 0 0 R 97.3 0.0 1:16.33 ksoftirqd/26
151 root 20 0 0 0 0 R 97.3 0.0 1:16.68 ksoftirqd/28
136 root 20 0 0 0 0 R 97.0 0.0 0:39.09 ksoftirqd/25
161 root 20 0 0 0 0 R 97.0 0.0 1:16.48 ksoftirqd/30
A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.
A result of the 30 kpps attack on the physical system with Intel(R) Xeon(R) D-1587@1.70GHz CPUs and 32 cores in total may look like a complete saturation of a core:
top - 08:59:45 up 1:34, 2 users, load average: 0.39, 0.15, 0.08
%Cpu9 : 0.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi,100.0 si, 0.0 st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
54 root 20 0 0 0 0 R 99.7 0.0 0:47.53 ksoftirqd/9
An attack from a single IP host may saturate more than 1 CPU core by forging packets to be sent from different IP addresses. The Linux kernel uses complex algorithm to schedule such IP fragment reassembly among the CPU cores. So such reassembly could be distributed to the different CPU cores, but it is quite harder to achieve this compared to the SegmentSmack flaw. Such an attack from 2 forged IP addresses may look like a complete saturation of 2 cores, but it is harder for an attacker to achieve this:
top - 10:10:36 up 34 min, 2 users, load average: 0.51, 0.29, 0.15
%Cpu3 : 0.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi,100.0 si, 0.0 st
%Cpu7 : 0.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi,100.0 si, 0.0 st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
24 root 20 0 0 0 0 R 100.0 0.0 1:50.69 ksoftirqd/3
44 root 20 0 0 0 0 R 100.0 0.0 1:07.11 ksoftirqd/7
Affected Products
SegmentSmack and FragmentSmack attacks are possible due to the algorithms used in the Linux kernel network stack; all the Red Hat products with moderately new Linux kernel versions are affected.
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 7 for Real Time
- Red Hat Enterprise Linux 7 for ARM64
- Red Hat Enterprise Linux 7 for IBM Power9
- Red Hat Enterprise Linux 7 for IBM SystemZ
- Red Hat Enterprise Linux Atomic Host
- Red Hat Enterprise MRG 2
- Red Hat Virtualization 4
RHEL-5 is affected by these flaws by a significantly lesser degree. Namely, in our tests only a high-speed attack of 1Mpps (packets, not bytes or bits) was able to barely saturate 1 CPU core. As such, the flaws severity for RHEL5 is considered Moderate.
Resolution
SegmentSmack
No effective workaround or mitigation besides a fixed kernel is known at this time. Red Hat is tracking fixes via Bugzilla ticket 1601704. Red Hat Enterprise Linux kernel updates will be released as they become available.
Updates for Affected Products
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2018:2384 |
| Red Hat Enterprise Linux 7 for Real Time | kernel-rt | RHSA-2018:2395 |
| Red Hat Enterprise Linux 7.4 Extended Update Support* | kernel | RHSA-2018:2776 |
| Red Hat Enterprise Linux 7.3 Extended Update Support* | kernel | RHSA-2018:2785 |
| Red Hat Enterprise Linux 7.2 AUS**/TUS*** | kernel | RHSA-2018:2790 |
| Red Hat Enterprise Linux 6 | kernel | RHSA-2018:2390 |
| Red Hat Enterprise Linux 6.7 Extended Update Support* | kernel | RHSA-2018:2645 |
| Red Hat Enterprise Linux 6.6 AUS**/TUS*** | kernel | RHSA-2018:2924 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support** | kernel | RHSA-2018:2933 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support** | kernel | RHSA-2018:2791 |
| Red Hat Enterprise Linux 7 for ARM64/Power9/SystemZ | kernel | RHSA-2018:2948 |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2018:2789 |
| Red Hat Virtualization 4 | rhvm-appliance | RHSA-2018:2402 |
| Red Hat Virtualization 4 | redhat-virtualization-host | RHSA-2018:2403 |
*An active EUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription. Also see What is the Red Hat Enterprise Linux Extended Update Support Subscription?.
**An active AUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active AUS subscription. Also see What is Advanced mission critical Update Support (AUS)?.
***An active TUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active TUS subscription.
FragmentSmack
Red Hat is tracking fixes via Bugzilla ticket 1609664. Red Hat Enterprise Linux kernel updates will be released as they become available.
Updates for Affected Products
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2018:3083 |
| Red Hat Enterprise Linux 7 for Real Time | kernel-rt | RHSA-2018:3096 |
| Red Hat Enterprise Linux 7.5 Extended Update Support* | kernel | RHSA-2018:3459 |
| Red Hat Enterprise Linux 7.4 Extended Update Support* | kernel | RHSA-2018:3540 |
| Red Hat Enterprise Linux 7.3 Extended Update Support* | kernel | RHSA-2018:2785 |
| Red Hat Enterprise Linux 7.2 AUS**/TUS*** | kernel | RHSA-2018:3590 |
| Red Hat Enterprise Linux 6 | kernel | RHSA-2018:2846 |
| Red Hat Enterprise Linux 6.7 Extended Update Support* | kernel | RHSA-2018:2925 |
| Red Hat Enterprise Linux 6.6 AUS**/TUS*** | kernel | RHSA-2018:2924 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support** | kernel | RHSA-2018:2933 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support** | kernel | RHSA-2018:2791 |
| Red Hat Enterprise Linux 7 for ARM64/Power9/SystemZ | kernel | RHSA-2018:2948 |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2018:3586 |
*An active EUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription. Also see What is the Red Hat Enterprise Linux Extended Update Support Subscription?.
**An active AUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active AUS subscription. Also see What is Advanced mission critical Update Support (AUS)?.
***An active TUS subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active TUS subscription.
Mitigation
Except installing a fixed kernel, one may try to change the default 4MB and 3MB values of net.ipv4.ipfrag_high_thresh and net.ipv4.ipfrag_low_thresh (and their IPv6 counterparts net.ipv6.ipfrag_high_thresh and net.ipv6.ipfrag_low_thresh) sysctl parameters to 256 kB and 192 kB (respectively) or below. The result is from some to significant CPU saturation drop during an attack, depending on a hardware and environment. For example, this mitigation applied to the 32-cores system mentioned above made a high-speed attack (~500 kpps) not noticeable.
There can be some impact on performance though, due to ipfrag_high_thresh being set to 262144 bytes, as this way only two 64K fragments can fit in the reassembly queue at the same time. For example, there is a risk of breaking applications that rely on large UDP packets.
The following simple script can be used to quickly change to/from the default and lower settings:
#!/bin/sh
if [ "x$1" == "xlow" ]; then
echo Settinig limits low:
sysctl -w net.ipv4.ipfrag_low_thresh=196608
sysctl -w net.ipv4.ipfrag_high_thresh=262144
sysctl -w net.ipv6.ip6frag_low_thresh=196608
sysctl -w net.ipv6.ip6frag_high_thresh=262144
echo
elif [ "x$1" == "xdef" ]; then
echo Settinig limits default:
sysctl -w net.ipv4.ipfrag_high_thresh=4194304
sysctl -w net.ipv4.ipfrag_low_thresh=3145728
sysctl -w net.ipv6.ip6frag_high_thresh=4194304
sysctl -w net.ipv6.ip6frag_low_thresh=3145728
echo
fi
echo Current values:
sysctl net.ipv4.ipfrag_low_thresh
sysctl net.ipv4.ipfrag_high_thresh
sysctl net.ipv6.ip6frag_low_thresh
sysctl net.ipv6.ip6frag_high_thresh
Acknowledgments
Red Hat thanks Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs for reporting this vulnerability.
Comments