Vulnerability in the handling of IP fragments

TCP/IP stacks of Linux and Windows systems have a vulnerability in the handling of fragmented IP packets. An attacker may increase the effects of denial of service attacks by sending specially crafted IP fragments.

Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size. A stream of tiny fragments can exhaust the fragment queue, degrading the overall network performance of the system. This can result in a denial of service. According to Microsoft, the vulnerability also affects Windows systems.

Vulnerability coordination:

The vulnerability was found by Juha-Matti Tiili from Aalto University, Department of Communications and Networking / Nokia Bell Labs. It was discovered together with the TCP segmentation issues published earlier in August 2018. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

Target of vulnerability

The vulnerability was introduced in Linux kernel in the version 3.9 and fixed in versions 3.18.118, 4.4.146, 4.9.118, 4.14.61, and 4.17.13.
All supported Windows versions

What is this about?

Update the affected software using the automatic updates of your OS provider.

The vulnerability can be mitigated by restricting access to the vulnerable system. A simple mitigation on Linux is to decrease the size of the IP fragment queues:

sysctl -w net.ipv4.ipfrag_low_thresh=196608 sysctl -w net.ipv4.ipfrag_high_thresh=262144

As a workaround, Microsoft published the following commands that disable packet reassembly.

Netsh int ipv4 set global reassemblylimit=0 Netsh int ipv6 set global reassemblylimit=0

What can I do?

Lisätietoa:

NCSC-FI Vulnerability Coordination can be contacted as follows:

Email: vulncoord@ficora.fi

Please quote the advisory reference [FICORA #1052508] in the subject line.

Telephone:
+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00561 Helsinki
FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Others

Workstations and end-user applications

Vulnerabilities in workstations and in applications for ordinary users often concern a considerable amount of users. Target can be, for example, the Windows operating system or a word processor. The difference between server applications and end-user applications is sometimes indeterminate, for example the same operating system can be used both in the server and the workstation.

Network devices

Network devices mean such devices that ordinary users usually cannot see, such as routers, switches and firewalls. These devices and the related software transmit or filter network traffic.

Embedded systems

An embedded system consists of a device and its software. Relatively many of the devices used by consumers can be considered as embedded systems. An example of such systems is a digital set-top box which is necessary for viewing digital TV broadcasts.

Mobile communications systems

In addition to portable terminal devices, such as telephones and data traffic cards, also mobile network devices are categorised into mobile communications systems.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

No user interaction required

An attack that is performed without actions from the user is directly targeted at the vulnerability without any actions required from the system user for the attack to be successful. For example, the user does not have to browse websites or start a computer program. The attack can be performed without the user's help.

No authentication required

The attack does not require logging into the system subject to attack. As an opposite are such attacks that require the use of a user name and password and, for example, execution of commands when logged into the system.

Denial-of-service attack

The purpose of a denial-of-service attack is to prevent the target system from functioning in the task for which it is intended. The purpose of an attack can be, for example, overloading a web server or e-mail server with high volumes of network traffic.

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.