New FragmentSmack DoS vulnerability found in 88 Cisco products
- The vulnerability,identified as CVE-2018-5391, can allow attackers to create a DoS condition on affected devices.
- Until a patch is issued, Cisco has recommended that customers check the product-specific documentation for any workarounds.
Cisco confirmed that 88 of its products have been affected by a potentially dangerous denial-of-service (DoS) flaw. The vulnerability, dubbed FragmentSmack, was discovered in August and affects product and services using Linux kernel 3.9 or above.
FragementSmack, identified as CVE-2018-5391, can allow attackers to create a DoS condition on affected devices by sending a stream of IPv4 or IPv6 packets.
“The vulnerability is due to inefficient IPv4 and IPv6 fragment reassembly algorithms in the IP stack that is used by the affected kernel. Linux Kernel Versions 3.9 and later are known to be affected by this vulnerability,” said CISCO in its report.
The firm is currently investigating its product line to determine which products and services are affected by FragmentSmack. Meanwhile, Cisco is also investigating products in the routing and switching category. More specifically, it is reviewing the Application Policy Infrastructure Controller Enterprise Module (APIC-EM).
The firm is yet to come up with a patch to fix the issue. Until then, CISCO has recommended that customers check the product-specific documentation for any workarounds.
“Administrators may be able to leverage access control lists (ACLs), Control Plane Policing (CoPP), or other rate-limiting measures to control the flow of fragmented packets that reach an affected interface. Off-device mitigations, such as external firewalls or infrastructure ACLs on edge devices, may also effectively control the flow of IP fragments that are directed to management interfaces or control planes of downstream affected devices,” CISCO said.
Although FragmentSmack was originally discovered on Linux, the flaw, when combined with its sibling SegmentSmack, can also impact Windows systems, Bleeping Computer reported.