Threat Watch

Linux Kernel Vulnerability

Researchers have discovered a vulnerability (CVE-2018-5390) in the Linux kernel version 4.9 that could lead to a DoS (denial of service) attack. Newer versions of the Linux kernel could be forced to make expensive calls to “tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet, which could lead to the DoS attack. The attack could be caused by a remote attacker sending specially crafted packets within ongoing TCP sessions, however the attacker would need to have an ongoing two-way TCP session to an open port. The warning by Carnegie Mellon University’s CERT/CC lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected, but has yet to confirm whether any of them actually are. Because of the widespread use of Linux, the flaw could affect every vendor from Amazon and Apple to Ubuntu and ZyXEL. The TCP calls cause the CPU to become saturated on the affected system which create the DoS condition. The attacker could do this with small bandwidth on the incoming network traffic and could stall the affected host with less than 2kpps (2,000 packets per second).

ANALYST NOTES