ASA-2019-00411 – Linux kernel: Internet Protocol Identification (IPID) generation is too weak


Allele Security Alert

ASA-2019-00411

Identifier(s)

ASA-2019-00411, CVE-2019-10638

Title

Internet Protocol Identification (IPID) generation is too weak

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.2

Linux kernel versions 5.1.x before 5.1.7
Linux kernel versions 5.0.x before 5.0.21
Linux kernel versions 4.19.x before 4.19.48
Linux kernel versions 4.9.x before 4.9.190
Linux kernel versions 4.4.x before 4.4.191
Linux kernel versions 4.14.x before 4.14.124
Linux kernel versions 3.16.x before 3.16.72

Fixed version(s)

Linux kernel version 5.2

Linux kernel version 5.1.7
Linux kernel version 5.0.21
Linux kernel version 4.19.48
Linux kernel version 4.9.190
Linux kernel version 4.4.191
Linux kernel version 4.14.124
Linux kernel version 3.16.72

Linux kernel versions with the following commit applied:

inet: switch IP ID generator to siphash
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df453700e8d81b1bdafdf684365ee2b9431fb702

Proof of concept

Unknown

Description

A device running the Linux kernel can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.

Technical details

Unknown

Credits

Amit Klein and Benny Pinkas

Reference(s)

From IP ID to Device ID and KASLR Bypass (Extended Version)
https://arxiv.org/pdf/1906.10478.pdf

inet: switch IP ID generator to siphash
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df453700e8d81b1bdafdf684365ee2b9431fb702

netns: provide pure entropy for net_hash_mix()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92

inet: update the IP ID generation algorithm to higher standards.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=55f0fc7a02de8f12757f4937143d8d5091b2e40b

inet: switch IP ID generator to siphash
https://github.com/torvalds/linux/commit/df453700e8d81b1bdafdf684365ee2b9431fb702

netns: provide pure entropy for net_hash_mix()
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92

inet: update the IP ID generation algorithm to higher standards.
https://github.com/torvalds/linux/commit/55f0fc7a02de8f12757f4937143d8d5091b2e40b

Linux 5.2
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2

Linux 5.1.7
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.7

Linux 5.0.21
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.21

Linux 4.19.48
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.48

Linux 4.14.124
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.124

Linux 4.9.190
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.190

Linux 4.4.191
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.191

Linux 3.16.72
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.72

CVE-2019-10638
https://security-tracker.debian.org/tracker/CVE-2019-10638

CVE-2019-10638 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-10638

CVE-2019-10638 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-10638.html

CVE-2019-10638 | SUSE
https://www.suse.com/security/cve/CVE-2019-10638

CVE-2019-10638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638

CVE-2019-10638
https://nvd.nist.gov/vuln/detail/CVE-2019-10638

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.