TCP implementations vulnerable to Denial of Service

The network stacks of recent Linux and FreeBSD kernels have a vulnerability that makes it possible to perform denial of service attacks with low packet volumes. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port.

The vulnerability is related to the handling of TCP segments within Linux and FreeBSD TCP/IP stacks. Mounting the attack requires that a two-way TCP connection to an open port is formed. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Thus, the attacks cannot be performed using spoofed IP addresses.

Vulnerability coordination:

The vulnerability was found by Juha-Matti Tiili from Aalto University, Department of Communications and Networking / Nokia Bell Labs. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

Target of vulnerability

In the Linux kernel, the vulnerability was introduced in version 4.9 and fixed in versions 4.9.117, 4.17.11, and 4.14.59. The version 4.4.146 includes portions of the same fix.
All supported FreeBSD versions

What is this about?

Update the affected software using the automatic updates of your OS provider.

The vulnerability can be mitigated by restricting access to the vulnerable version, or by terminating TCP connections in a separate system such as proxy or load balancer.

What can I do?

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:

Email: vulncoord@ficora.fi

Please quote the advisory reference [FICORA #1052508] in the subject line.

Telephone:
+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00561 Helsinki
FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Others

Network devices

Network devices mean such devices that ordinary users usually cannot see, such as routers, switches and firewalls. These devices and the related software transmit or filter network traffic.

Embedded systems

An embedded system consists of a device and its software. Relatively many of the devices used by consumers can be considered as embedded systems. An example of such systems is a digital set-top box which is necessary for viewing digital TV broadcasts.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

No user interaction required

An attack that is performed without actions from the user is directly targeted at the vulnerability without any actions required from the system user for the attack to be successful. For example, the user does not have to browse websites or start a computer program. The attack can be performed without the user's help.

Denial-of-service attack

The purpose of a denial-of-service attack is to prevent the target system from functioning in the task for which it is intended. The purpose of an attack can be, for example, overloading a web server or e-mail server with high volumes of network traffic.

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.