Recently, a researcher has discovered a critical TCP vulnerability in the Linux Kernel that could trigger cyber attacks. Precisely, by exploiting this flaw, any potential bad actors could trigger resource exhaustion attacks through an open port. This vulnerability, termed as ‘SegmentSmack’, primarily targets Linux 4.9 and above. Fortunately, Linux developers have released a patch for it.
‘SegmentSmack’ – TCP Vulnerability Affecting Linux 4.9 And Above
The researcher Juha-Matti Tilli, from the Aalto University reported a Linux Kernel vulnerability that could potentially trigger Denial of Service (DoS) attacks. The flaw named as ‘SegmentSmack’, that acquires CVE number CVE-2018–5390. Using this flaw, an attacker could trigger DoS attacks by sending modified packets during an ongoing TCP session.
As stated on the CERT advisory,
“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions.”
These modified TCP sessions could result in CPU saturation, ultimately leading to a denial of service. Red Hat further puts an insight to this flaw in their article, stating,
“In a worst case scenario, an attacker can stall an affected host or device with less than 2 kpps of an attack traffic.”
Effective maintenance of DoS calls requires continuous two-way TCP sessions to an accessible open port. Therefore, an attacker cannot exploit this flaw with a spoofed IP address.
Linux Already Released A Patch For It
Gladly, Linux has already released fixes for this vulnerability in the latest update. The patch series employs limiting the CPU cycles which eventually render the vulnerability non-critical. However, for the moment, this is the only patch applicable to protect oneself from this SegmentSmack. For now, the developers have released no further patch however they may consider looking for some other approaches. Something to keep in mind is that currently proof of concept has not been provided.
As stated by the developers,
“This patch series makes sure we cut CPU cycles enough to render the attack not critical. We might in the future go further, like disconnecting or black-holing proven malicious flows.”
Let us know what you think in the comments section.