CVE-2018-5390漏洞預警
RedHat將Linux kernel TCP漏洞(CVE-2018-5390)命名為SegmentSmack。研究人員發現對每個進入的包,tcp_collapse_ofo_queue()和tcp_prune_ofo_queue()的調用成本很高,會導致DoS攻擊。
攻擊者可以使用修改過的數據包來進行代價較大的調用,這會讓帶寬較小的網路中系統的CPU利用率達到飽和狀態,導致DoS攻擊。在最壞情況下,2k個包每秒的流量就可以導致系統拒絕服務。攻擊會使系統CPU處於滿負荷狀態,同時網路包處理會有很大的延遲。
$ top%Cpu25 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.5 si, 0.0 st%Cpu26 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st%Cpu28 : 0.0 us, 0.3 sy, 0.0 ni, 0.7 id, 0.0 wa, 0.0 hi, 99.0 si, 0.0 st%Cpu30 : 0.0 us, 0.0 sy, 0.0 ni, 1.4 id, 0.0 wa, 0.0 hi, 98.6 si, 0.0 st PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 141 root 20 0 0 0 0 R 97.3 0.0 1:16.33 ksoftirqd/26 151 root 20 0 0 0 0 R 97.3 0.0 1:16.68 ksoftirqd/28 136 root 20 0 0 0 0 R 97.0 0.0 0:39.09 ksoftirqd/25 161 root 20 0 0 0 0 R 97.0 0.0 1:16.48 ksoftirqd/30
因為DoS攻擊需要到開放、可達埠的雙向TCP session,所以用偽造的IP地址不能發起此類攻擊。
為了解決該漏洞,Linux kernel開發人員已經發布了補丁。截止目前,除了運行修復的內核外,還沒有其他緩解的方法,也沒有攻擊PoC發布。
補丁地址:https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e
漏洞影響Linux kernel 4.9及以上版本。因為Linux內核的廣泛應用,漏洞會影響軟、硬體廠商,包括亞馬遜、Apple、Ubuntu、ZyXEL等。
受影響的網路設備廠商、PC和伺服器廠商、手機廠商、操作系統廠商列表:
·3com Inc
·A10 Networks
·ACCESS
·Actelis Networks
·Actiontec
·ADTRAN
·aep NETWORKS
·Aerohive
·AhnLab Inc
·AirWatch
·Akamai Technologies, Inc.
·Alcatel-Lucent Enterprise
·Amazon
·Android Open Source Project
·ANTlabs
·Appgate Network Security
·Apple
·Arch Linux
·Arista Networks, Inc.
·ARRIS
·Aruba Networks
·ASP Linux
·AsusTek Computer Inc.
·AT&T
·Avaya, Inc.
·AVM GmbH
·Barracuda Networks
·Belkin, Inc.
·Bell Canada Enterprises
·BlackBerry
·BlueCat Networks, Inc.
·Broadcom
·Brocade Communication Systems
·CA Technologies
·Cambium Networks
·Check Point Software Technologies
·Cisco
·Comcast
·Command Software Systems
·CoreOS
·Cradlepoint
·D-Link Systems, Inc.
·Debian GNU/Linux
·Dell
·Dell EMC
·Dell SecureWorks
·DesktopBSD
·Deutsche Telekom
·Devicescape
·Digi International
·dnsmasq
·DragonFly BSD Project
·eero
·EfficientIP SAS
·Ericsson
·Espressif Systems
·European Registry for Internet Domains
·Express Logic
·Extreme Networks
·F-Secure Corporation
·F5 Networks, Inc.
·Fedora Project
·Force10 Networks
·Fortinet, Inc.
·Foundry Brocade
·FreeBSD Project
·Geexbox
·Gentoo Linux
·GNU glibc
·HardenedBSD
·Hitachi
·Honeywell
·HP Inc.
·HTC
·Huawei Technologies
·IBM Corporation (zseries)
·IBM eServer
·IBM, INC.
·Infoblox
·InfoExpress, Inc.
·Intel
·Internet Systems Consortium
·Internet Systems Consortium - DHCP
·Interniche Technologies, inc.
·Joyent
·Juniper Networks
·Lancope
·Lantronix
·Lenovo
·Linksys
·m0n0wall
·Marvell Semiconductors
·McAfee
·MediaTek
·Medtronic
·Men & Mice
·MetaSwitch
·Micro Focus
·Microchip Technology
·Microsoft
·MikroTik
·Miredo
·Mitel Networks, Inc.
·NEC Corporation
·NetBSD
·Netgear, Inc.
·NETSCOUT
·netsnmp
·Nixu
·NLnet Labs
·Nokia
·Nominum
·OmniTI
·OpenBSD
·OpenConnect
·OpenDNS
·Openwall GNU/*/Linux
·Oracle Corporation
·Paessler
·Peplink
·pfSENSE
·Philips Electronics
·PowerDNS
·Pulse Secure
·QLogic
·QNX Software Systems Inc.
·Quagga
·QUALCOMM Incorporated
·Quantenna Communications
·Red Hat, Inc.
·Riverbed Technologies
·Roku
·Ruckus Wireless
·Samsung Mobile
·Samsung Semiconductor Inc.
·Secure64 Software Corporation
·Sierra Wireless
·Slackware Linux Inc.
·Snort
·SonicWall
·Sonos
·Sony Corporation
·Sophos, Inc.
·Sourcefire
·SUSE Linux
·Symantec
·Synology
·Technicolor
·TippingPoint Technologies Inc.
·Toshiba Commerce Solutions
·TP-LINK
·TrueOS
·Turbolinux
·Ubiquiti Networks
·Ubuntu
·Unisys
·VMware
·Wind River
·Xilinx
·Zebra Technologies
·Zephyr Project
·ZyXEL
參考:
https://www.zdnet.com/article/linux-kernel-bug-tcp-flaw-lets-remote-attackers-stall-devices-with-tiny-dos-attack/
https://access.redhat.com/articles/3553061
https://fossbytes.com/segmentsmack-tcp-flaw-linux-kernel-remote-denial-of-service/
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=962459&SearchOrder=4
※關於汽車共享App的研究
※盤點迄今為止Mirai的7大變種
TAG:嘶吼RoarTalk |