what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreeBSD Security Advisory - FreeBSD-SA-18:10.ip

FreeBSD Security Advisory - FreeBSD-SA-18:10.ip
Posted Aug 15, 2018
Authored by Juha-Matti Tilli | Site security.freebsd.org

FreeBSD Security Advisory - A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2018-6923
SHA-256 | 8b9f6df8636fcf62bb78a92076b061ee35605960add8fc0553f1a51de4f13bbf

FreeBSD Security Advisory - FreeBSD-SA-18:10.ip

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================
FreeBSD-SA-18:10.ip Security Advisory
The FreeBSD Project

Topic: Resource exhaustion in IP fragment reassembly

Category: core
Module: inet
Announced: 2018-08-14
Credits: Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
Aalto University, Department of Communications and Networking
and Nokia Bell Labs
Affects: All supported versions of FreeBSD.
Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name: CVE-2018-6923

Special note: Due to source code differences in FreeBSD 10-stable a patch
is not yet available for FreeBSD 10.4. This will follow at
a later date.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
packets which are too big to traverse all the links between two end
stations. Any router along the path between two end hosts may fragment
packets which are larger than a link's maximum transmission unit
(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
Transmission Control Protocol [TCP]) perform path MTU discovery to
avoid the need for fragmentation.

IP version 6 (IPv6) retains the concept of packet fragmentation. It
changed the fragmentation operation to require that the originating
end-system perform path MTU discovery and fragment packets which are
too large for any MTU along the path between two end systems.

While all hosts attached to the Internet are required to support
fragmentation and reassembly, many hosts will encounter very few
legitimate fragmented packets due to the operation of path MTU discovery.

II. Problem Description

A researcher has notified us of a DoS attack applicable to another
operating system. While FreeBSD may not be vulnerable to that exact
attack, we have identified several places where inadequate DoS protection
could allow an attacker to consume system resources.

It is not necessary that the attacker be able to establish two-way
communication to carry out these attacks. These attacks impact both
IPv4 and IPv6 fragment reassembly.

III. Impact

In the worst case, an attacker could send a stream of crafted
fragments with a low packet rate which would consume a substantial
amount of CPU.

Other attack vectors allow an attacker to send a stream of crafted
fragments which could consume a large amount of CPU or all available
mbuf clusters on the system.

These attacks could temporarily render a system unreachable through
network interfaces or temporarily render a system unresponsive. The
effects of the attack should clear within 60 seconds after the attack stops.

IV. Workaround

Disable fragment reassembly, using these commands:
% sysctl net.inet.ip.maxfragpackets=0
% sysctl net.inet6.ip6.maxfrags=0

On systems compiled with VIMAGE, these sysctls will need to be
executed for each VNET.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release or
security branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
# gpg --verify ip.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r337804
releng/11.1/ r337828
releng/11.2/ r337828
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://www.kb.cert.org/vuls/id/641765>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.2.9 (FreeBSD)

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n
5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ
vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN
NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt
1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA
ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic
PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW
tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE
FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O
I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS
dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx
bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3wUfE
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close