[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 4272-1] linux security update


On 14.08.18 21:52, Salvatore Bonaccorso wrote:
CVE-2018-5391 (FragmentSmack)

   Juha-Matti Tilli discovered a flaw in the way the Linux kernel
   handled reassembly of fragmented IPv4 and IPv6 packets. A remote
   attacker can take advantage of this flaw to trigger time and
   calculation expensive fragment reassembly algorithms by sending
   specially crafted packets, leading to remote denial of service.

   This is mitigated by reducing the default limits on memory usage
   for incomplete fragmented packets.  The same mitigation can be
   achieved without the need to reboot, by setting the sysctls:

   net.ipv4.ipfrag_high_thresh = 262144
   net.ipv6.ip6frag_high_thresh = 262144
   net.ipv4.ipfrag_low_thresh = 196608
   net.ipv6.ip6frag_low_thresh = 196608

It seems that the thresholds should be applied in reverse order, the stretch
kernel complains if we try to shring the high threshold below the low one
(and is probably right).

For the stable distribution (stretch), this problem has been fixed in
version 4.9.110-3+deb9u2.

(just a note for those who can't just reboot).

Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Reply to: