Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What Do I Need To Know about "SegmentSmack" - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What Do I Need To Know about "SegmentSmack"

"SegmentSmack" is yet another branded vulnerability, also known as CVE-2018–5390. It hit the "news" yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights:

  • Linux Kernel 4.9 is vulnerable. Older versions are not vulnerable. However, some Linux distributions like RedHat ES 6 and 7 include the vulnerable code as they backported some of the 4.9 networking code into their kernels
  • An attacker should not be able to exploit this vulnerability using a spoofed IP address. The attacker needs to first establish a TCP connection which is very difficult with a spoofed address.
  • It is not known how much traffic the attacker will have to send. But likely not more than a user would send in a normal TCP connection.
  • The attack can be launched against any exposed TCP service (Web, Mail, DNS...)
  • The vulnerable functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), are used to deal with reassembling TCP segments. This likely implies that an exploit would use many out of order or otherwise abnormal packets. But this is just a guess at this point.
  • If you are vulnerable, your best bet is to update. There is likely not much else you can do (e.g. firewall rules)

You can find more details here: https://www.kb.cert.org/vuls/id/962459

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

Defending Web Applications Security Essentials - Secure DevOps Summit & Training 2018

Johannes

3373 Posts
ISC Handler
The same vulnerability is also in FreeBSD and potentially other OSs also. https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc
Anonymous
Could Windows OSs have this vulnerability or is this one contained to Linux?
Henderson

1 Posts
Is it possible to detect Segment and/or Fragment Smack using Snort?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!