Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack

'SegmentSmack' Linux bug gives a remote attacker the means to knock out a system with minimal traffic.
Written by Liam Tung, Contributing Writer

Video: The 2013 flaw that's still used to turn Linux servers into coin miners today.

Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit.

The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are.

But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL.

A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port.

SEE: 20 quick tips to make Linux networking easier (free PDF)

Because of this requirement, the attacks can't be performed with spoofed IP addresses, notes CERT/CC's Trent Novelly.

The bug, which has the identifier CVE-2018-5390, has been dubbed 'SegmentSmack' by Red Hat.

The "expensive" TCP calls cause the CPU to become saturated on the affected system, in turn creating the DoS condition. An attacker could do this "with a relatively small bandwidth of the incoming network traffic", notes enterprise Linux distribution maker, Red Hat.

"In a worst-case scenario, an attacker can stall an affected host or device with less than 2kpps [2,000 packets per second] of an attack traffic," explains the software company.

"A result of the attack with four streams can look like a complete saturation of four CPU cores and delays in a network packets processing," it adds in its advisory.

It has confirmed that Red Hat systems affected include those running RHEL 6 and 7, RHEL 7 for Real Time, RHEL 7 for ARM64 systems, RHEL 7 for IBM POWER systems, and RHEL Atomic Host.

Unfortunately for admins there's "no effective workaround/mitigation besides a fixed kernel is known at this time", according to Red Hat.

The bug was found by Juha-Matti Tilli of a Nokia Bell Labs supported networking department from Finland's Aalto University, where Finnish-born Linux kernel founder Linus Torvalds famously gave his own version of a SegmentSmack to Nvidia for not supporting Linux with its Optimus technology.

Previous and related coverage

Windows apps made on Linux hit by security fail

That Windows app you made on a Linux system actually isn't as protected from attacks as you thought.

Microsoft Windows, Apple macOS, Linux, BSD: All hit by same 'serious' security flaw

OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.

Windows 10: Microsoft to boost Linux app security with Windows Defender firewall

Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running

Serious Linux kernel security bug fixed

Linux server administrators will want to patch their systems as soon as possible.

Enterprise IT shouldn't blame open source for their own poor security practices TechRepublic

Open source vulnerabilities will often get disclosed earlier than those in managed software, but it's up to IT to apply the patches.

How to install Linux CNET

OK, you've settled on which version of Linux you want to load on your old PC. Here's how to make it happen.

Editorial standards