FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmack
Also: Juniper jumps on its stack
Hard on the heels of the Linux kernel's packets-of-death attack dubbed SegmentSmack, a similar vulnerability has been disclosed and fixed in FreeBSD.
Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system's networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines.
FreeBSD 10, 10.4, 11, 11.1, and 11.2 are affected, and the maintainers have released patches to mitigate the programming cockup. In the open-source operating system project's advisory for CVE-2018-6922 (Linux's SegmentSmack was assigned CVE-2018-5390), the problem was this week described as an “inefficient algorithm” involving a segment reassembly data structure.
Batten down the ports: Linux networking bug SegmentSmack could remotely crash systemsREAD MORE
“This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue,” the FreeBSD team's advisory continued.
There's a key different between this bug and Linux's SegmentSmack. The latter only works if the attacker establishes a two-way TCP connection to the target. In contrast, the FreeBSD bug is easier to exploit, and therefore trigger a denial-of-service in a target. The FreeBAS advisory stated: “An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.”
Prior to patching and rebooting, sysadmins can work around the issue by limiting the size of the TCP reassembly queue (which defaults to 100), with the trade-off that a smaller queue can result in lost packets, and the retransmission process will limit performance.
Juniper jumps on SegmentSmack
Juniper Networks is one of the first networking hardware vendors to go public with details of its exposure to the Linux SegmentSmack flaw on systems running its Junos OS. Its advisory stated the MX Series routers, PTX Series routers, QFX Series switches, and NFX network services platforms are all confirmed vulnerable, as well as the various virtualized implementations of these products.
Juniper noted that a SegmentSmack attack can hose its target with a lower traffic rate than “typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues on affected platforms.”
While it doesn't reference CVE-2018-6922, Juniper also noted that systems running on FreeBSD are vulnerable. The biz hasn't finished its testing, and noted in its advisory that “all platforms are assumed to be vulnerable until tested otherwise.”
Akamai said it patched its systems ahead of the SegmentSmack disclosure. The Register expects a rush of vendor announcements as they finish their security assessments. ®