Shulou(Shulou.com)05/31 Report--

Linux kernel SegmentSmack serious vulnerability example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

A vulnerability called SegmentSmack has been discovered in the way the Linux kernel handles specific TCP packets. Remote attackers can take advantage of this flaw to trigger time-consuming CPU tcp_collapse_ofo_queue () and tcp_prune_ofo_queue () system calls through TCP requests, which may cause CPU to run full. Maintaining a denial-of-service condition requires continuous two-way TCP sessions to reachable open ports, so attacks cannot be performed using spoofed IP addresses.

Overview

A vulnerability called SegmentSmack has been discovered in the way the Linux kernel handles specially crafted TCP packets. Remote attackers can take advantage of this flaw to trigger time-consuming tcp_collapse_ofo_queue () and tcp_prune_ofo_queue () calls to cause CPU exhaustion. This vulnerability does not require a large amount of network traffic to cause the system to run out of CPU and cause Dos attacks. In a worst-case scenario, an attacker can cause an attack host with less than 2 kpps attack traffic to affect the host and pause.

Vulnerability details

An e-mail message released by Juha-Matti Tilli reports another security-related problem in the Linux kernel. CVE-2018-5390 Consulting is a newly released security bulletin that provides detailed information about Linux kernel vulnerabilities. This document shows that version 4.9 + may be affected by certain conditions of service that can lead to DOS (denial of service) attacks. The exact nature of the problem is related to the user's modification of the behavior. You can force the kernel to call two functions for each incoming packet:

Tcp_collapse_ofo_queue (), as long as the memory quota of the receive queue is full, this routine frees up the unordered queue to make room for the arriving segment. This is used for buffer control.

Tcp_prune_ofo_queue (), which is the pruning function of network packets. It is used during queue operations.

Each incoming packet can be modified to pass through these two functions. This may lead to the possibility that the behavior pattern leads to a denial of service. An attacker can induce such a situation by sending modified packets in an ongoing TCP network session. The analysis shows that maintaining this state requires continuous two-way TCP sessions through an accessible open port on the target computer. This means that the attack can only be carried out through a real IP address, not a spoofed address.

A remote attacker can trigger a denial-of-service condition against a system with available open ports.

Because maintaining a denial-of-service condition requires continuous two-way TCP sessions to reachable open ports, attacks cannot be performed using spoofed IP addresses.

The following figure shows that the result of an attack using a 4 TCP stream can make the 4 CPU kernel fully saturated and cause delays in network packet processing:

Affected products

Because the SegmentSmack attack is based on the algorithm used in the Linux kernel network stack, Red Hat's official documentation indicates that products with medium new Linux kernel versions of their products will be affected:

Red Hat Enterprise Linux 6

Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 7 for Real Time

Red Hat Enterprise Linux 7 for ARM64

Red Hat Enterprise Linux 7 for Power

Red Hat Enterprise Linux Atomic Host

Ubuntu officially pointed out that the affected versions are:

Ubuntu 12.04 ESM (Precise Pangolin)

Ubuntu 14.04 LTS (Trusty Tahr)

Ubuntu 16.04 LTS (Xenial Xerus)

Ubuntu 18.10 (Cosmic Cuttlefish)

For other manufacturers, please check the vulnerability description of the corresponding manufacturer.

Solve

It is not known that there are no effective solutions / mitigation measures other than fixing the kernel. The linux kernel team has released a code patch commit for this vulnerability

At the time of this writing, the equipment vendor has not released any patches. When ready, appropriate announcements and updates will be issued to the end user and the device owner. You can use a series of patches that fix the problem by limiting the cpu cycle to a limit, ultimately making the error non-critical. In the future, developers may continue to make further fixes, such as disconnecting or malicious flow of black hole verification.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.