Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack

'SegmentSmack' Linux bug gives a remote attacker the means to knock out a system with minimal traffic.

This article was originally posted on ZDNet.

Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit.

The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are.

SEE: Linux distribution comparison chart (Tech Pro Research)

But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL.

A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port.

Because of this requirement, the attacks can't be performed with spoofed IP addresses, notes CERT/CC's Trent Novelly.

The bug, which has the identifier CVE-2018-5390, has been dubbed 'SegmentSmack' by Red Hat.

The "expensive" TCP calls cause the CPU to become saturated on the affected system, in turn creating the DoS condition. An attacker could do this "with a relatively small bandwidth of the incoming network traffic", notes enterprise Linux distribution maker, Red Hat.

"In a worst-case scenario, an attacker can stall an affected host or device with less than 2kpps [2,000 packets per second] of an attack traffic," explains the software company.

"A result of the attack with four streams can look like a complete saturation of four CPU cores and delays in a network packets processing," it adds in its advisory.

It has confirmed that Red Hat systems affected include those running RHEL 6 and 7, RHEL 7 for Real Time, RHEL 7 for ARM64 systems, RHEL 7 for IBM POWER systems, and RHEL Atomic Host.

Unfortunately for admins there's "no effective workaround/mitigation besides a fixed kernel is known at this time", according to Red Hat.

The bug was found by Juha-Matti Tilli of a Nokia Bell Labs supported networking department from Finland's Aalto University, where Finnish-born Linux kernel founder Linus Torvalds famously gave his own version of a SegmentSmack to Nvidia for not supporting Linux with its Optimus technology.

Also see

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (witho...

Editor's Picks

Free Newsletters, In your Inbox