oss-sec mailing list archives
CVE-2018-14641: Linux kernel: a security flaw in the ip_frag_reasm()
From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 18 Sep 2018 06:02:29 -0400 (EDT)
Heololo, A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default but non-rare configuration of a victim host an attacker can trigger this crash remotely, thus leading to a remote denial-of-service. The CVE-ID CVE-2018-14641 was assigned to this flaw and we would suggest to use it in the public communications. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1629636 The flaw was introduced in: $ git tag --contain fa0f527358bd v4.19-rc1 and fixed in: $ git tag --contain 5d407b071dc3 v4.19-rc4 The fix is the upstream commit 5d407b071dc3 ("ip: frags: fix crash in ip_do_fragment()") and it is fixing fa0f527358bd ("ip: use rb trees for IP frag queue."). Namely, the following part of fa0f527358bd which unions sk and ip_defrag_offset fields of struct sk_buff has introduced the vulnerability: +++ b/include/linux/skbuff.h @@ -676,13 +676,16 @@ struct sk_buff { + + union { + struct sock *sk; + int ip_defrag_offset; + }; Distributions which has backported this part of fa0f527358bd (which in turn is a part of the fix of the CVE-2018-5391/FragmentSmack) are vulnerable. For the remote attack masquerading and forwarding should be configured on a victim host. Then an attacker can ping an external host from inside a masqueraded zone, so that the malicious ping is masqueraded and forwarded by a victim host. This is not default but (we believe) not rare configuration, so for example, a VM hosting provider could be vulnerable. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2018-14641: Linux kernel: a security flaw in the ip_frag_reasm() Vladis Dronov (Sep 18)