Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.
Written by Liam Tung, Contributing Writer

Cisco has confirmed that more of its products that rely on the Linux kernel are vulnerable to a potentially dangerous denial-of-service flaw.

The bug, dubbed FragmentSmack, was in August revealed to affect the IP networking stack in the Linux kernel, prompting a round of patches for numerous Linux distributions and patches at Akamai, Amazon, and Juniper Networks, and more.

The bug can saturate a CPU's capacity when under a low-speed attack using fragmented IPv4 and IPv6 packets, which could cause a denial-of-service condition on the affected device.

As RedHat noted in its write-up, an attacker can use FragmentSmack to drive up CPU usage by sending fragmented IP packets that trigger the kernel's 'time and calculation expensive' reassembly algorithm.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cisco has focused its search for the vulnerability in products that use the Linux kernel version 3.9 or later, which have been confirmed to be vulnerable to FragmentSmack.

The company has been updating its initial advisory over the past month with details about products confirmed to be vulnerable and those that are not.

Linux-based products aren't exclusively affected. Microsoft this week also revealed that all supported versions of Windows were vulnerable to FragmentStack, with Windows servers the more likely target of an attack.

Cisco has now confirmed that the flaw affects 88 products, including its Nexus switches, Cisco IOS XE software, and equipment from its lines of Unified Computing and Unified Communications brands, several TelePresence products, and a handful of wireless access points.

Cisco notes that there may be some workarounds available, including using access-control lists and other rate-limiting techniques to control the flaw of fragmented packets that reach affected interfaces. External firewalls may also do the trick and minimize impact on downstream devices.

It's currently investigating whether the Cisco Application Policy Infrastructure Controller (APIC) Enterprise module is affected.

FragmentSmack, and a similar DoS bug called SegmentStack, were disclosed by the Vulnerability Coordination team of the National Cyber Security Centre of Finland (NCSC-FI) and CERT Coordination Center (CERT/CC) in mid-August.

The bugs were discovered by Juha-Matti Tilli, of the Aalto University Department of Communications and Networking, and Nokia Bell Labs.

Cisco in August disclosed a DoS bug with a similar impact affecting its AsyncOS Software for Web Security Appliances, which a remote attacker could use to exhaust memory and cause the device to stop processing new TCP connections.

Previous and related coverage

FragmentSmack vulnerability also affects Windows, but Microsoft patched it

FragmentStack can drive CPU usage up through the roof, jamming servers bombarded with malformed IP packets. Just the ideal vulnerability for DDoS attacks on Windows servers.

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Memcached denial-of-service attacks are getting bigger by the day, according to new analysis.

Memcached DDoS: The biggest, baddest denial of service attacker yet

Distributed denial of service attacks just got turned up to 11 with Memcrashed, an internet assault that can slam a website with over a terabyte of bad traffic.

Infinite Campus DDoS attack impedes access to student data

The latest DDoS wave to strike the system is "50 times greater" than previous attacks.

Advanced DDoS attacks up 16% from last year: Watch for these methods TechRepublic

With distributed denial of service (DDoS) and bot-based attacks constantly evolving, businesses must stay vigilant, according to Akamai report.

Hackers behind Mirai botnet could be sentenced to working for the FBI CNET

This comes after more than 18 months of already helping the FBI stop cyberattacks.

Editorial standards