Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2417 Resource exhaustion in IP fragment reassembly 17 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2018-6923 Original Bulletin: https://security.freebsd.org/advisories/FreeBSD-SA-18:10.ip.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:10.ip Security Advisory The FreeBSD Project Topic: Resource exhaustion in IP fragment reassembly Category: core Module: inet Announced: 2018-08-14 Credits: Juha-Matti Tilli <juha-matti.tilli@iki.fi> from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects: All supported versions of FreeBSD. Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-6923 Special note: Due to source code differences in FreeBSD 10-stable a patch is not yet available for FreeBSD 10.4. This will follow at a later date. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of packets which are too big to traverse all the links between two end stations. Any router along the path between two end hosts may fragment packets which are larger than a link's maximum transmission unit (MTU). FreeBSD's implementation of some IPv4 protocols (such as the Transmission Control Protocol [TCP]) perform path MTU discovery to avoid the need for fragmentation. IP version 6 (IPv6) retains the concept of packet fragmentation. It changed the fragmentation operation to require that the originating end-system perform path MTU discovery and fragment packets which are too large for any MTU along the path between two end systems. While all hosts attached to the Internet are required to support fragmentation and reassembly, many hosts will encounter very few legitimate fragmented packets due to the operation of path MTU discovery. II. Problem Description A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. III. Impact In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops. IV. Workaround Disable fragment reassembly, using these commands: % sysctl net.inet.ip.maxfragpackets=0 % sysctl net.inet6.ip6.maxfrags=0 On systems compiled with VIMAGE, these sysctls will need to be executed for each VNET. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release or security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc # gpg --verify ip.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/11/ r337804 releng/11.1/ r337828 releng/11.2/ r337828 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://www.kb.cert.org/vuls/id/641765> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.2.9 (FreeBSD) iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n 5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt 1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w= =ddfE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW3ZlS2aOgq3Tt24GAQiolRAAsODEK9lCF3EkbFmp0N+oJT3xv/z+knJq wU9poL5kLlUCQVQVB+R4tIj3i3ozt79sqo47shNfuVtkfZbPF3v3l8fZf6sOYMmY h/H73LE5eQDAaJpbmF3PISQPlFUzIsw71VpR+a/c/ssdDuefbLhxYCwKn+e+aocn iSkNsXrO3wnIoA/Q/QVOcUf6JhmeMYUNb7u8gkZXVBqyVe/MIV/PfuYtRBUpzxPK uz5d9jA/DAfeWaCBwdr2FqGbfoEUexdycEN3t779M0r9uVt0iI4e5FVsJb7kQsYp w817BscSCKyXRnoujE4V0U6CngILvveDfgMTHffRyUz500y0OPm9scMpj6C4IWUS F5BiQsw5JaT7K8DOUxV5VrpyGfvsd1iWaCWXuFEpHVh5b81sJdctc3Af2/3d3her SWKeSfOdWNZNcYPBZ9tmx5ScGgDi80KSXkv7DHJGeWGXAuPvX3/x3XA0ir5p//ce CrGWNq4S1EcTzimdo2eYm9AhQW8pnv5SrcZsRG7AK9HyFbGyumRJHfj4eJ9rXUQd tipm7utOp/a7NlXvP0m5ZUWxFY7HTEcRO3a/wRNxCcT21hGRm0nPyA750ngFJ0LA 9M8dY+3x6KIFfrNaUpuhPYl9xx1UiaEHwUJjiTvhYFAU3uhTzn3x7KBYvBlLdcjY /Ubv0ydmKko= =9ofH -----END PGP SIGNATURE-----