The vulnerability, reported by Juha-Matti Till at Aalto University, Department of Communications and Networking/Nokia Bell Labs, means an attacker can bring about a Dos by sending specially modified packets during an ongoing TCP session.
However, since maintaining the DoS calls for continuous two-way TCP sessions to a reachable open port, attacks cannot be carried out using spoofed IP addresses.
The Linux kernel project has released patches to address the vulnerability.
"It’s well worth noting that most enterprise grade Linux distributions do not yet use Linux kernels 4.9 or above, so (they) aren’t impacted," Beaumont wrote. "By the time they do, patches will be built in."
He said the following points should be noted:
- The vulnerability does not allow remote code execution.
- If the server is fully firewalled from an attacker, it is not exploitable.
- To exploit the vulnerability, you need inbound TCP access to the server.
- You cannot spoof packets during exploitation, as it requires an established, two-way TCP stream.
- You need the server to echo certain packets back to you over TCP to exploit this — the packets need to be sent by the Linux server *outbound*. So only certain protocols would allow this.
- There is no proof of concept for the exploit available at the moment.
Beaumont also listed the kernel versions in some widely-used Linux distrubutions so users could see if they were vulnerable.
"Don't panic," he said. "For enterprise grade Linux distributions it is unlikely you are actually impacted due to kernel versions. You should, of course, check your systems with a Vulnerability Management approach — and if so, patch your system with apt-get upgrade, yum update etc.
"It is obviously more complex with embedded devices such as NAS devices – although I would recommend not exposing these directly the Internet regardless."