Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What Do I Need To Know about "SegmentSmack" - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What Do I Need To Know about "SegmentSmack"

"SegmentSmack" is yet another branded vulnerability, also known as CVE-2018–5390. It hit the "news" yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights:

  • Linux Kernel 4.9 is vulnerable. Older versions are not vulnerable. However, some Linux distributions like RedHat ES 6 and 7 include the vulnerable code as they backported some of the 4.9 networking code into their kernels
  • An attacker should not be able to exploit this vulnerability using a spoofed IP address. The attacker needs to first establish a TCP connection which is very difficult with a spoofed address.
  • It is not known how much traffic the attacker will have to send. But likely not more than a user would send in a normal TCP connection.
  • The attack can be launched against any exposed TCP service (Web, Mail, DNS...)
  • The vulnerable functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), are used to deal with reassembling TCP segments. This likely implies that an exploit would use many out of order or otherwise abnormal packets. But this is just a guess at this point.
  • If you are vulnerable, your best bet is to update. There is likely not much else you can do (e.g. firewall rules)

You can find more details here:

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Aug 8th 2018
The same vulnerability is also in FreeBSD and potentially other OSs also.
Could Windows OSs have this vulnerability or is this one contained to Linux?

1 Posts
Is it possible to detect Segment and/or Fragment Smack using Snort?

Sign Up for Free or Log In to start participating in the conversation!