Hello, welcome to the Wednesday, August 8, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from San Antonio, Texas.

A new denial of service vulnerability against the most recent Linux kernel has made the new sort of big time today in part because of the

catchy name associated with this vulnerability. Segment smack as the vulnerability has been

branded is an issue with the 4.9 Linux kernel. Now before you look at your system and find out that you're not running

the 4.9 kernel, be aware that some distributions like for example Redhead have ported back

the TCP stack from 4.9 into their version of the Linux kernel. So even though it

doesn't say 4.9, you are using the vulnerable code. So for example, Redhead Enterprise

6 and 7 are vulnerable. Suse 15 is vulnerable, as well as Bantu 1804, which was just released.

Patches should be out by now for vulnerable systems.

So what's the risk here and what's the problem really?

The risk, first of all, is if you have an exposed server, an attacker could connect to that server,

and by sending very few packets essentially lead to a denial of service condition.

The exact nature of the vulnerability isn't known yet, but it is related to the out-of-order queue,

which essentially is where TCP keeps sort of random

packets around that don't fit yet into a sampled TCP stream. Now, best guess here is

that probably this attack involves sending a lot of out-of-order packets, maybe also overlapping

segments. So anything along these lines is

probably to blame for this vulnerability. But again, the hacker cannot spoof their IP address

because they first need an established TCP connection. And then they at least occasionally

need to send additional packets. So again again this cannot be spoofed.

At this point, I wouldn't really worry about it too much.

...