Security Advisory ADV180022 | Windows Denial of Service Vulnerability

Brink

Administrator
Staff member
Local time
9:18 AM
Messages
74,946
Location
Oklahoma
Microsoft is aware of a denial of service vulnerability (named "FragmentSmack" CVE-2018-5391) affecting Windows systems. An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments. A system under attack would become unresponsive with 100% CPU utilization but would recover as soon as the attack terminated.

Recommended actions

To protect your system from this vulnerability, Microsoft recommends that you take the following actions:

  1. Register for security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
  2. Test and apply security updates. See the Affected Products table to download and install the updates.
  3. If you cannot apply the security updates immediately, you can apply the workdaround described in FAQ #1.
FAQ

1. What workaround(s) exist for this vulnerability?

The following commands disable packet reassembly. Any out-of-order packets are dropped. There is a potential for packet loss when discarding out-of-order packets. Valid scenarios should not exceed more than 50 out-of-order fragments.

We recommend testing prior to updating production systems.
Code:
Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0


Further netsh guidance can be found at netsh.

2. Is Azure affected?

Azure fabric layer protections mitigate this vulnerability. This is blocked before traffic reaches Azure VMs.

3. What can I do at the perimeter to block this attack?

Review the perimeter device guidance and modify reassembly packet limits similar to the commands listed in FAQ #1.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Refer to FAQ #1 for the Workaround for this vulnerability.


Read more: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180022
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
So what is the vector here? A carefully crafted web page or some other fetched web service that could do this?

It looks like this also effects Linux doing a Google search for CVE-2018-5391.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Back
Top