LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The networking hash vulnerability

[Posted May 20, 2003 by corbet]

Most Linux kernels have a slightly different sort of vulnerability in the networking subsystem. For most users, the new problem is nothing to be particularly worried about. For systems that export important services to the net (i.e. web servers), however, this one is worth paying attention to.

The networking code maintains a number of internal hash tables to speed lookups. In the networking code, for example, one table is used to quickly find the route to a remote system; another is used in the netfilter connection tracking code. The problem is that the hashing function used for these tables is predictable and can be influenced by outsiders. In particular, a suitably clever attacker can, through careful choices of (false) source packet addresses, create a great many entries in a single hash chain.

Once the chain gets long, the kernel will begin to take a long time to look up each packet which hashes to that chain. This behavior enables a simple denial of service attack: send a bunch of packets with the right addresses and watch the target system slow to a crawl. By exploiting this vulnerability, an attacker can get many of the effects of a large, distributed denial of service attack without having to arrange the "distributed" part - a single system will do.

Fixing the problem is a simple matter of picking a better hash function which does not have such predictable behavior. Patches are available for the 2.4 kernel, though, as of this writing, few vendors have released updates; this LWN vulnerability entry will track the updates as they are received. The 2.4.21-rc2 and 2.5.69 kernels also contain the fix - but nobody should be running important services on either of those.

(Log in to post comments)

The networking hash vulnerability

Posted May 22, 2003 11:33 UTC (Thu) by alspnost (subscriber, #2763) [Link]

> The 2.4.21-rc2 and 2.5.69 kernels also contain the fix - but nobody
> should be running important services on either of those.

Well, I don't understand why the former should be unsafe. I would be far happier running on 2.4.21-rc2 than 2.4.20, since it contains this any many other critical fixes, and seems to be much more stable too.

I reckon a 2.4-rc is safe for almost anyone, but I do wish Marcelo would move along and release 2.4.21 at long last....

The networking hash vulnerability

Posted May 22, 2003 12:09 UTC (Thu) by DaveK (subscriber, #2531) [Link]

A quick check of ftp.kernel.org suggests that 2.4.20 was released on 28th November 2002. ie. almost exactly 6 months ago.
Thus the 2.4.20 kernel is obviously without any security vulnerabilities or other scary data trashing issues, and supports all the latest hardware, otherwise a new release whould have happened by now.
Since it is the latest issue on ftp.kernel.org it is abvious that it is the one that everyone is recommended to download and run, I don't see what all the fuss is about.

2.4.20 not entirely safe

Posted May 22, 2003 13:29 UTC (Thu) by alspnost (subscriber, #2763) [Link]

Not true. 2.4.20 does have some security problems, like the ptrace vulnerability, some possible ext3 filesystem corruption issues, and this latest DoS issue. There's also the fact that it doesn't support lots of recent hardware etc. Anyway, many people _did_ request an accelerated 2.4.21 release when the ptrace flaw was discovered, but it didn't happen. Alan Cox deemed it serious enough to release a new 2.2 kernel.

In the end, people using vendor kernels get the fixes by updating those; hackers who build their own kernels are probably happy running prepatches, or certainly -rc releases. FWIW, I'm with 2.4.21-rc on Gentoo and it's rock solid.

Sarcasm alert

Posted May 22, 2003 19:19 UTC (Thu) by roelofs (subscriber, #2599) [Link]

I'm pretty sure DaveK was employing verbal irony. He's not the only one who wishes Marcelo would get off his thumb and release the 2.4 kernels a little more quickly, at least when there are longstanding security holes to be patched. (And yes, I've resorted to various -pre and -rc kernels because I had to, but at least two of those failed to build and required additional patches.)

Btw, typo alert for Jonathan: "problemis"

Sarcasm alert

Posted May 22, 2003 22:39 UTC (Thu) by alspnost (subscriber, #2763) [Link]

Thanks - yes, I think you're right. My sarcasm detector got switched off in the middle of a busy day at work ;-)

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds