Front Page: NCSC-FI
Front Page: NCSC-FI
Go to Search

Vulnerability in the handling of IP fragments

Vulnerability15/2018

TCP/IP stacks of Linux and Windows systems have a vulnerability in the handling of fragmented IP packets. An attacker may increase the effects of denial of service attacks by sending specially crafted IP fragments.

Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size. A stream of tiny fragments can exhaust the fragment queue, degrading the overall network performance of the system. This can result in a denial of service. According to Microsoft, the vulnerability also affects Windows systems.

Vulnerability coordination:

The vulnerability was found by Juha-Matti Tiili from Aalto University, Department of Communications and Networking / Nokia Bell Labs. It was discovered together with the TCP segmentation issues published earlier in August 2018. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

Target

  • Others
  • Workstations and end-user applications
  • Network devices
  • Embedded systems
  • Mobile communications systems
  • Servers and server applications

Attack vector

  • Remote
  • No user interaction required
  • No authentication required

Impact

  • Denial-of-service attack

Remediation

  • Software update patch
  • Restriction of the problem

Vulnerable software

  • The vulnerability was introduced in Linux kernel in the version 3.9 and fixed in versions 3.18.118, 4.4.146, 4.9.118, 4.14.61, and 4.17.13.
  • All supported Windows versions

Possible solutions

Update the affected software using the automatic updates of your OS provider.

The vulnerability can be mitigated by restricting access to the vulnerable system. A simple mitigation on Linux is to decrease the size of the IP fragment queues:

sysctl -w net.ipv4.ipfrag_low_thresh=196608
sysctl -w net.ipv4.ipfrag_high_thresh=262144

As a workaround, Microsoft published the following commands that disable packet reassembly.

Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0

Additional information

NCSC-FI Vulnerability Coordination can be contacted as follows:

Email: vulncoord@ficora.fi

Please quote the advisory reference [FICORA #1052508] in the subject line.

Telephone:
+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00561 Helsinki
FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

 

Originally published 15.8.2018 time 09:31 Updated on 21.09.2018 time 11:41 Added links to the Windows update