5

CVE-2015-5364 describes a UDP based DoS vulnerability in the Linux kernel that can be used to deny processing cycles to the host operating system and its applications.

https://access.redhat.com/security/cve/CVE-2015-5364

A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.

I noticed that Debian released a fix for this, but Redhat still hasn't, and they're classifying this as Important instead of Critical. Important implies that there should be some sort of mitigating factor to the remote exploit, but none of the information I can find has done a good job of explaining what is reducing the risk.

All of this is mildly concerning, but since the internet (or at least Google) isn't on fire I'm forced to assume that Smart Security People aren't terribly concerned. Unfortunately, I'm not as smart as them!

While I'm happy to continue squeezing Redhat for more information (and will update this Q&A if that begins yielding results), I figured that maybe Security.SE could lend a hand here with understanding this. I don't think that routers would be dropping the packets because the bad checksums are in header for the encapsulated protocol, so what prevents this CVE from being a big deal?

Andrew B
  • 152
  • 5

1 Answers1

2

The reason why it's important and not critical is not because there are mitigating factors. The description of Important is:

This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.

Which is exactly what this flaw is. It's currently not classified as critical because critical would imply:

lead to system compromise (arbitrary code execution) without requiring user interaction

In case of this vulnerability there is no arbitrary code execution. If you look at the base CVSS metrics: AV:N/AC:M/Au:N/C:N/I:N/A:C There is only compromise to the availability of the machine. There is currently no compromise to the integrity or confidentiality.

Mitigating factors might not be available at the moment on Red Hat itself, but considering you need to send a UDP packet to the machine, you could easily configure your firewall (which you hopefully have in front of your internet facing machines and on your internal network zone demarcation points) to drop UDP packets.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • That would indeed seem to be my reading comprehension failure, much obliged sir. My bad assumption seems rooted in that and the fact that the CVE wasn't getting much discussion despite its severity. Unfortunately I'm in the DNS biz so firewalling off UDP entirely isn't an option. – Andrew B Aug 11 '15 at 13:05
  • Lucas, what if the firewall is a linux machine. If the input chain in iptables blocks all UDP from the internet? Also what about if the forward chain does allow forwarding of UDP packets to other machines, will the firewall machine be vulnerable too? – BeowulfNode42 Sep 17 '15 at 04:05