Situation: two vulnerabilities are closed in the Linux kernel TCP stack
Earlier this month, security specialists discovered two new vulnerabilities in the Linux kernel: SegmentSmack and FragmentSmack. Both are related to the operation of the TCP stack and allow attackers to conduct DoS and DDoS attacks on the victim’s system. “Patches” for most distributions have already been released.
Under the cut - more about the essence.
/ photo by Eli Duke CC
The “root of evil” SegmentSmack is the tcp_collapse_ofo_queue () and tcp_prune_ofo_queue () functions. The attacker calls them using specially modified TCP segments sent to the server, personal computer or mobile device of the victim.
This leads to an overrun of memory and processor resources. Thus, a hacker can “hang” a host or device with traffic of only 2 thousand packets per second.
The RedHat site provides an example of the result of such an attack. The top command shows the full load of the four CPU cores and the delay in processing network packets:
Note that in order to maintain the “DoS state”, an open TCP session is required, so an attack cannot be performed using IP spoofing.
The FragmentSmack attack uses the features of IP datagram fragmentation . When an IP datagram is transmitted to the data link layer, it is fragmented if it does not fit in the frame . Thus, it is transmitted in chunks, and the recipient host then assembles it together. However, he knows the final length of the datagram only when he receives the last fragment.
The attackers use this feature and adjust the fragment offset values so that the server processor is constantly engaged in assembling IPv4 and IPv6 packets.
FragmentSmack lets you work with bogus IP addresses to trick security systems (you’ll manage to use IP spoofing). However, it requires a higher speed of sending packets than SegmentSmack - 30 thousand packets per second.
RedHat also give the result of a similar attack (the kernel is 99% loaded):
Such vulnerabilities are not found for the first time. In the nineties, a similar bug was found in Windows NT 4.0, Windows 95 and Linux kernel versions up to 2.0.32. The exploit is known as the teardrop attack - the attacker also sent fragmented packets to the target (network) device, causing a DoS. Vulnerability patched, but it manifested itself later.
In 2009, the bug was again found in Windows 7 and Windows Vista.
FragmentSmack threatens all versions of the Linux kernel, starting at 3.9, and SegmentSmack, at 4.9. A list of vendors with systems that have these vulnerabilities can be found on the CERT website .
Last week, Cisco reported that SegmentSmack and FragmentSmack were attacked by their AsyncOS operating system. Therefore, the company has released a number of patches.
As noted in Cisco, the "symptoms" of the vulnerability can be traced using the netstat command (an example is on the Cisco website in the Indicators of Compromise section ). If the command output shows a large number of TCP connections in the CLOSE_WAIT state, then the device is likely to be affected by these vulnerabilities.
Details about SegmentSmack patches for a number of distros have already been published on CVE (for example, here is a patch for Ubuntu 14.04 LTS ). There you will also find instructions and files for installing patches for all Linux distributions. As for FragmentSmack, the Ubuntu, Red Hat, Debian and Android OS developers have already rolled out patches against this vulnerability .
/ photo Christopher Michel CC
As a temporary solution to the problem with FragmentSmack (if the patch cannot be installed for some reason), you can change the net.ipv4.ipfrag_high_thresh and net.ipv4.ipfrag_low_thresh values to 256 and 192 KB, respectively (instead of 4 MB and 3 MB).
The first parameter sets the maximum amount of memory allocated for the queue of fragmented packets. If the queue length exceeds it, the fragment handler will ignore all packets until the queue length is less than the value of ipfrag_low_thresh.
Android owners, as Kevin Beaumont, cybersecurity expert (as well as the author of an independent blog on the topic) writes , can change these values using such commands (they should work without rebooting the device).
What we do in IT-GRAD - the main directions:
• Virtual infrastructure (IaaS) • PCI DSS hosting • Cloud FZ-152
Other materials from our IaaS blog:
Under the cut - more about the essence.
/ photo by Eli Duke CC
What are these vulnerabilities dangerous?
The “root of evil” SegmentSmack is the tcp_collapse_ofo_queue () and tcp_prune_ofo_queue () functions. The attacker calls them using specially modified TCP segments sent to the server, personal computer or mobile device of the victim.
This leads to an overrun of memory and processor resources. Thus, a hacker can “hang” a host or device with traffic of only 2 thousand packets per second.
The RedHat site provides an example of the result of such an attack. The top command shows the full load of the four CPU cores and the delay in processing network packets:
$ top
%Cpu25 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.5 si, 0.0 st
%Cpu26 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st
%Cpu28 : 0.0 us, 0.3 sy, 0.0 ni, 0.7 id, 0.0 wa, 0.0 hi, 99.0 si, 0.0 st
%Cpu30 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
141 root 20 0 0 0 0 R 97.3 0.0 1:16.33 ksoftirqd/26
151 root 20 0 0 0 0 R 97.3 0.0 1:16.68 ksoftirqd/28
136 root 20 0 0 0 0 R 97.0 0.0 0:39.09 ksoftirqd/25
161 root 20 0 0 0 0 R 97.0 0.0 1:16.48 ksoftirqd/30
Note that in order to maintain the “DoS state”, an open TCP session is required, so an attack cannot be performed using IP spoofing.
The FragmentSmack attack uses the features of IP datagram fragmentation . When an IP datagram is transmitted to the data link layer, it is fragmented if it does not fit in the frame . Thus, it is transmitted in chunks, and the recipient host then assembles it together. However, he knows the final length of the datagram only when he receives the last fragment.
The attackers use this feature and adjust the fragment offset values so that the server processor is constantly engaged in assembling IPv4 and IPv6 packets.
FragmentSmack lets you work with bogus IP addresses to trick security systems (you’ll manage to use IP spoofing). However, it requires a higher speed of sending packets than SegmentSmack - 30 thousand packets per second.
RedHat also give the result of a similar attack (the kernel is 99% loaded):
top - 08:59:45 up 1:34, 2 users, load average: 0.39, 0.15, 0.08
%Cpu9 : 0.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi,100.0 si, 0.0 st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
54 root 20 0 0 0 0 R 99.7 0.0 0:47.53 ksoftirqd/9
Such vulnerabilities are not found for the first time. In the nineties, a similar bug was found in Windows NT 4.0, Windows 95 and Linux kernel versions up to 2.0.32. The exploit is known as the teardrop attack - the attacker also sent fragmented packets to the target (network) device, causing a DoS. Vulnerability patched, but it manifested itself later.
In 2009, the bug was again found in Windows 7 and Windows Vista.
Who suffered
FragmentSmack threatens all versions of the Linux kernel, starting at 3.9, and SegmentSmack, at 4.9. A list of vendors with systems that have these vulnerabilities can be found on the CERT website .
Last week, Cisco reported that SegmentSmack and FragmentSmack were attacked by their AsyncOS operating system. Therefore, the company has released a number of patches.
As noted in Cisco, the "symptoms" of the vulnerability can be traced using the netstat command (an example is on the Cisco website in the Indicators of Compromise section ). If the command output shows a large number of TCP connections in the CLOSE_WAIT state, then the device is likely to be affected by these vulnerabilities.
How to treat
Details about SegmentSmack patches for a number of distros have already been published on CVE (for example, here is a patch for Ubuntu 14.04 LTS ). There you will also find instructions and files for installing patches for all Linux distributions. As for FragmentSmack, the Ubuntu, Red Hat, Debian and Android OS developers have already rolled out patches against this vulnerability .
/ photo Christopher Michel CC
As a temporary solution to the problem with FragmentSmack (if the patch cannot be installed for some reason), you can change the net.ipv4.ipfrag_high_thresh and net.ipv4.ipfrag_low_thresh values to 256 and 192 KB, respectively (instead of 4 MB and 3 MB).
The first parameter sets the maximum amount of memory allocated for the queue of fragmented packets. If the queue length exceeds it, the fragment handler will ignore all packets until the queue length is less than the value of ipfrag_low_thresh.
Android owners, as Kevin Beaumont, cybersecurity expert (as well as the author of an independent blog on the topic) writes , can change these values using such commands (they should work without rebooting the device).
What we do in IT-GRAD - the main directions:
• Virtual infrastructure (IaaS) • PCI DSS hosting • Cloud FZ-152
Other materials from our IaaS blog:
- How to test a disk system in the cloud: practical tips
- What is hidden behind the term vCloud Director - an inside view