CVE-2018-5391

Q: What is the severity of CVE-2018-5391?

CVE-2018-5391 has a CVSS score of 7.5 (HIGH). CVE-2018-5391 is a Linux kernel vulnerability that allows remote attackers to cause a denial of service by sending specially crafted IP fragments that overwhelm the fragment reassembly queue. This affects Linux kernel versions 3.9 and later, making most modern Linux systems vulnerable. The attack requires low packet rates, making it relatively easy to execute.

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2018-5391 is a Linux kernel vulnerability that allows remote attackers to cause a denial of service by sending specially crafted IP fragments that overwhelm the fragment reassembly queue. This affects Linux kernel versions 3.9 and later, making most modern Linux systems vulnerable. The attack requires low packet rates, making it relatively easy to execute.

💻 Affected Systems

Products:

Linux kernel

Versions: 3.9 and later

Operating Systems: All Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with increased IP fragment reassembly queue size (default in modern kernels) are more vulnerable. Network devices and servers processing IP fragments are at highest risk.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Ruggedcom Rm1224 Firmware by Siemens

View all CVEs affecting Ruggedcom Rm1224 Firmware →

Ruggedcom Rox Ii Firmware by Siemens

View all CVEs affecting Ruggedcom Rox Ii Firmware →

Scalance M 800 Firmware by Siemens

View all CVEs affecting Scalance M 800 Firmware →

Scalance S615 Firmware by Siemens

View all CVEs affecting Scalance S615 Firmware →

Scalance Sc 600 Firmware by Siemens

View all CVEs affecting Scalance Sc 600 Firmware →

Scalance W1700 Ieee 802.11ac Firmware by Siemens

View all CVEs affecting Scalance W1700 Ieee 802.11ac Firmware →

Scalance W700 Ieee 802.11a\/b\/g\/n Firmware by Siemens

View all CVEs affecting Scalance W700 Ieee 802.11a\/b\/g\/n Firmware →

Simatic Net Cp 1242 7 Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1242 7 Firmware →

Simatic Net Cp 1243 1 Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1243 1 Firmware →

Simatic Net Cp 1243 7 Lte Eu Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1243 7 Lte Eu Firmware →

Simatic Net Cp 1243 7 Lte Us Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1243 7 Lte Us Firmware →

Simatic Net Cp 1243 8 Irc Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1243 8 Irc Firmware →

Simatic Net Cp 1542sp 1 Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1542sp 1 Firmware →

Simatic Net Cp 1542sp 1 Irc Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1542sp 1 Irc Firmware →

Simatic Net Cp 1543 1 Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1543 1 Firmware →

Simatic Net Cp 1543sp 1 Firmware by Siemens

View all CVEs affecting Simatic Net Cp 1543sp 1 Firmware →

Simatic Rf185c Firmware by Siemens

View all CVEs affecting Simatic Rf185c Firmware →

Simatic Rf186c Firmware by Siemens

View all CVEs affecting Simatic Rf186c Firmware →

Simatic Rf186ci Firmware by Siemens

View all CVEs affecting Simatic Rf186ci Firmware →

Simatic Rf188 Firmware by Siemens

View all CVEs affecting Simatic Rf188 Firmware →

Simatic Rf188ci Firmware by Siemens

View all CVEs affecting Simatic Rf188ci Firmware →

Sinema Remote Connect Server Firmware by Siemens

View all CVEs affecting Sinema Remote Connect Server Firmware →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability requiring reboot, affecting all network services on the target system.

🟠

Likely Case

Degraded network performance and intermittent service disruptions affecting TCP-based applications.

🟢

If Mitigated

Minimal impact with proper network filtering and rate limiting in place.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication from anywhere on the internet.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but typically have less motivation than external attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code has been published in security advisories. The attack requires sending specially crafted IP fragments at relatively low rates (as low as 30 Mbps).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with fixes backported to various distributions. Check specific distribution advisories.

Vendor Advisory: https://www.kernel.org/

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repository. 2. For Red Hat/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image-*. 4. Reboot system to load new kernel.

🔧 Temporary Workarounds

Reduce IP fragment reassembly queue size

linux

Lower the maximum number of IP fragments that can be queued for reassembly

sysctl -w net.ipv4.ipfrag_high_thresh=262144
sysctl -w net.ipv4.ipfrag_low_thresh=196608

Enable IP fragment filtering

linux

Drop IP fragments at network perimeter

iptables -A INPUT -f -j DROP

🧯 If You Can't Patch

Implement network filtering to drop IP fragments at perimeter firewalls
Use intrusion prevention systems (IPS) to detect and block fragment-based attacks

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is 3.9 or higher and not patched, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check if kernel has been updated to a version that includes the fix. For Red Hat: rpm -q kernel. For Ubuntu: dpkg -l | grep linux-image.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
High system load without apparent cause
Network interface errors

Network Indicators:

Unusual IP fragment traffic patterns
High rate of fragmented packets
TCP connection timeouts

SIEM Query:

source="kernel" AND ("panic" OR "Oops") OR (source="firewall" AND "fragment" AND rate>1000)

📊 Metadata

CVE ID: CVE-2018-5391

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: September 6, 2018

Last Updated: November 21, 2024

🔗 References

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-004.txt Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-linux-en Broken Link
http://www.openwall.com/lists/oss-security/2019/06/28/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/06/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/06/4 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/105108 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041476 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041637 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:2785 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2791 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2846 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2924 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2925 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2933 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2948 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3083 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3096 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3459 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3540 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3586 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3590 Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-377115.pdf Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=c30f1fc041b74ecdb072dd44f858750414b8b19f Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html Mailing List,Mitigation,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20181003-0002/ Third Party Advisory
https://support.f5.com/csp/article/K74374841?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3740-1/ Third Party Advisory
https://usn.ubuntu.com/3740-2/ Third Party Advisory
https://usn.ubuntu.com/3741-1/ Third Party Advisory
https://usn.ubuntu.com/3741-2/ Third Party Advisory
https://usn.ubuntu.com/3742-1/ Third Party Advisory
https://usn.ubuntu.com/3742-2/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4272 Mitigation,Third Party Advisory
https://www.kb.cert.org/vuls/id/641765 Third Party Advisory,US Government Resource
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-004.txt Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-linux-en Broken Link
http://www.openwall.com/lists/oss-security/2019/06/28/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/06/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/06/4 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/105108 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041476 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041637 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:2785 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2791 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2846 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2924 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2925 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2933 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2948 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3083 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3096 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3459 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3540 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3586 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3590 Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-377115.pdf Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=c30f1fc041b74ecdb072dd44f858750414b8b19f Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html Mailing List,Mitigation,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20181003-0002/ Third Party Advisory
https://support.f5.com/csp/article/K74374841?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3740-1/ Third Party Advisory
https://usn.ubuntu.com/3740-2/ Third Party Advisory
https://usn.ubuntu.com/3741-1/ Third Party Advisory
https://usn.ubuntu.com/3741-2/ Third Party Advisory
https://usn.ubuntu.com/3742-1/ Third Party Advisory
https://usn.ubuntu.com/3742-2/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4272 Mitigation,Third Party Advisory
https://www.kb.cert.org/vuls/id/641765 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Desktop by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat