Discussion:
[SECURITY] [DSA 4272-1] linux security update
Matus UHLAR - fantomas
2018-08-15 14:02:59 UTC
Permalink
Hello,
CVE-2018-5391 (FragmentSmack)
Juha-Matti Tilli discovered a flaw in the way the Linux kernel
handled reassembly of fragmented IPv4 and IPv6 packets. A remote
attacker can take advantage of this flaw to trigger time and
calculation expensive fragment reassembly algorithms by sending
specially crafted packets, leading to remote denial of service.
This is mitigated by reducing the default limits on memory usage
for incomplete fragmented packets. The same mitigation can be
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
It seems that the thresholds should be applied in reverse order, the stretch
kernel complains if we try to shring the high threshold below the low one
(and is probably right).
For the stable distribution (stretch), this problem has been fixed in
version 4.9.110-3+deb9u2.
(just a note for those who can't just reboot).
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Salvatore Bonaccorso
2018-08-15 14:26:59 UTC
Permalink
Hi,
Post by Matus UHLAR - fantomas
Hello,
CVE-2018-5391 (FragmentSmack)
Juha-Matti Tilli discovered a flaw in the way the Linux kernel
handled reassembly of fragmented IPv4 and IPv6 packets. A remote
attacker can take advantage of this flaw to trigger time and
calculation expensive fragment reassembly algorithms by sending
specially crafted packets, leading to remote denial of service.
This is mitigated by reducing the default limits on memory usage
for incomplete fragmented packets. The same mitigation can be
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
It seems that the thresholds should be applied in reverse order, the stretch
kernel complains if we try to shring the high threshold below the low one
(and is probably right).
Yes that's right. I have fixed this information/listing in the
webversion of the DSA, but cannot be fixed for the sent mail.
I asked debian-www team if the listing can be improved there.

Regards,
Salvatore

Loading...