{"vuid":"VU#641765","idnumber":"641765","name":"Linux kernel IP fragment re-assembly vulnerable to denial of service","keywords":["IP","DoS","denial of service","fragmentation","fragments","fragmentsmack"],"overview":"The Linux kernel, versions 3.9+, IP implementation is vulnerable to denial of service conditions with low rates of specially modified packets.","clean_desc":"CWE-400:Uncontrolled Resource Consumption('Resource Exhaustion')- CVE-2018-5391 The Linux kernel,versions 3.9+,is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability(CVE-2018-5391)became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.","impact":"An attacker may be able to trigger a denial-of-service condition against the system.","resolution":"Apply a patch\nPatches are available from OS vendors to address the vulnerability.","workarounds":"If you are unable to apply a patch, see the following mitigations: Modify Default Configurations\nChange the (default) values of net.ipv4/ipv6.ipfrag_high_thresh and net.ipv4/ipv6.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or below. Example: sysctl -w net.ipv4.ipfrag_low_thresh=196608\nsysctl -w net.ipv4.ipfrag_high_thresh=262144\nsysctl -w net.ipv6.ip6frag_low_thresh=196608\nsysctl -w net.ipv6.ip6frag_high_thresh=262144 Update: Further testing shows that these mitigations are not a 100% fix. A significantly strong attack will still result in a denial of service condition. Revert Commit\nAnother sufficient mitigation is to revert the commit c2a936600f78aea00d3312ea4b66a79a4619f9b4","sysaffected":"","thanks":"Thanks to Juha-Matti Tilli(Aalto University,Department of Communications and Networking/Nokia Bell Labs)for reporting this vulnerability.","author":"This document was written by Trent Novelly.","public":["h","t","t","p","s",":","/","/","g","i","t",".","k","e","r","n","e","l",".","o","r","g","/","p","u","b","/","s","c","m","/","l","i","n","u","x","/","k","e","r","n","e","l","/","g","i","t","/","d","a","v","e","m","/","n","e","t","-","n","e","x","t",".","g","i","t","/","c","o","m","m","i","t","/","?","i","d","=","c","3","0","f","1","f","c","0","4","1","b","7","4","e","c","d","b","0","7","2","d","d","4","4","f","8","5","8","7","5","0","4","1","4","b","8","b","1","9","f"],"cveids":["CVE-2018-5391"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-08-02T17:27:59Z","publicdate":"2018-08-14T00:00:00Z","datefirstpublished":"2018-08-14T19:52:37Z","dateupdated":"2018-10-12T12:31:15Z","revision":37,"vrda_d1_directreport":"1","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"N","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.8","cvss_basevector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","cvss_temporalscore":"6.6","cvss_environmentalscore":"6.618431568","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}