FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux’s SegmentSmack

FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux’s SegmentSmack


Hard on the heels of the Linux kernel’s packets-of-death attack dubbed SegmentSmack, a similar vulnerability has been disclosed and fixed in FreeBSD.
Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system’s networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines.
FreeBSD 10, 10.4, 11, 11.1, and 11.2 are affected, and the maintainers have released patches to mitigate the programming cockup. In the open-source operating system project’s advisory for CVE-2018-6922 (Linux’s SegmentSmack was assigned CVE-2018-5390), the problem was this week described as an “inefficient algorithm” involving a segment reassembly data structure.
here’s a key different between this bug and Linux’s SegmentSmack. The latter only works if the attacker establishes a two-way TCP connection to the target. In contrast, the FreeBSD bug is easier to exploit, and therefore trigger a denial-of-service in a target. The FreeBAS advisory stated: “An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system’s network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.”
Prior to patching and rebooting, sysadmins can work around the issue by limiting the size of the TCP reassembly queue (which defaults to 100), with the trade-off that a smaller queue can result in lost packets, and the retransmission process will limit performance.

Submitted by: Arnfried Walbrecht


Comments are closed.