Arista Networks · Arista Eos · CVE-2018-5391
Name of the Vulnerable Software and Affected Versions:
Linux kernel versions 3.9 and later
PAN-OS versions prior to 6.1.22
PAN-OS versions prior to 7.1.20
PAN-OS versions prior to 8.0.13
PAN-OS versions prior to 8.1.5
Arista EOS (affected versions not specified)
vEOS (affected versions not specified)
CloudVision Portal (affected versions not specified)
CloudVision Appliance (affected versions not specified)
Check Point GAiA (affected versions not specified)
Description:
The issue is related to a denial of service attack that can be triggered by sending specially crafted IP fragments, causing CPU saturation and consuming excessive resources. This can lead to a denial of service condition. The vulnerability is known as a FragmentSmack attack and affects the Linux kernel's handling of IP fragment reassembly. Remote attackers can exploit this issue by sending fragmented IPv4 or IPv6 packets to the affected device.
Recommendations:
For Linux kernel versions 3.9 and later, consider disabling IP fragment reassembly or restricting the size of the IP fragment reassembly queue as a temporary workaround until a patch is available.
For PAN-OS versions prior to 6.1.22, update to version 6.1.22 or later.
For PAN-OS versions prior to 7.1.20, update to version 7.1.20 or later.
For PAN-OS versions prior to 8.0.13, update to version 8.0.13 or later.
For PAN-OS versions prior to 8.1.5, update to version 8.1.5 or later.
For Arista EOS, vEOS, CloudVision Portal, and CloudVision Appliance, refer to the vendor's documentation for affected versions, mitigation, and resolution.
For Check Point GAiA, at the moment, there is no information about a newer version that contains a fix for this vulnerability.