Allele Security Alert
ASA-2019-00411
Identifier(s)
ASA-2019-00411, CVE-2019-10638
Title
Internet Protocol Identification (IPID) generation is too weak
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.2
Linux kernel versions 5.1.x before 5.1.7
Linux kernel versions 5.0.x before 5.0.21
Linux kernel versions 4.19.x before 4.19.48
Linux kernel versions 4.9.x before 4.9.190
Linux kernel versions 4.4.x before 4.4.191
Linux kernel versions 4.14.x before 4.14.124
Linux kernel versions 3.16.x before 3.16.72
Fixed version(s)
Linux kernel version 5.2
Linux kernel version 5.1.7
Linux kernel version 5.0.21
Linux kernel version 4.19.48
Linux kernel version 4.9.190
Linux kernel version 4.4.191
Linux kernel version 4.14.124
Linux kernel version 3.16.72
Linux kernel versions with the following commit applied:
inet: switch IP ID generator to siphash
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df453700e8d81b1bdafdf684365ee2b9431fb702
Proof of concept
Unknown
Description
A device running the Linux kernel can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.
Technical details
Unknown
Credits
Amit Klein and Benny Pinkas
Reference(s)
From IP ID to Device ID and KASLR Bypass (Extended Version)
https://arxiv.org/pdf/1906.10478.pdf
inet: switch IP ID generator to siphash
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df453700e8d81b1bdafdf684365ee2b9431fb702
netns: provide pure entropy for net_hash_mix()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
inet: update the IP ID generation algorithm to higher standards.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=55f0fc7a02de8f12757f4937143d8d5091b2e40b
inet: switch IP ID generator to siphash
https://github.com/torvalds/linux/commit/df453700e8d81b1bdafdf684365ee2b9431fb702
netns: provide pure entropy for net_hash_mix()
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
inet: update the IP ID generation algorithm to higher standards.
https://github.com/torvalds/linux/commit/55f0fc7a02de8f12757f4937143d8d5091b2e40b
Linux 5.2
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2
Linux 5.1.7
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.7
Linux 5.0.21
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.21
Linux 4.19.48
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.48
Linux 4.14.124
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.124
Linux 4.9.190
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.190
Linux 4.4.191
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.191
Linux 3.16.72
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.72
CVE-2019-10638
https://security-tracker.debian.org/tracker/CVE-2019-10638
CVE-2019-10638 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-10638
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-10638.html
CVE-2019-10638 | SUSE
https://www.suse.com/security/cve/CVE-2019-10638
CVE-2019-10638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638
CVE-2019-10638
https://nvd.nist.gov/vuln/detail/CVE-2019-10638
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 29, 2019