Citrix Security Advisory for TCP/IP Reassembly Resource Exhaustion
Article ID: CTX237244
Updated On:
Description
Description of Problem
Several vulnerabilities in TCP/IP reassembly commonly known as SegmentSmack and FragmentSmack have recently been disclosed. SegmentSmack is CVE-2018-5390 for Linux and CVE-2018-6922 for FreeBSD. FragmentSmack is CVE-2018-5391 for Linux and CVE-2018-6923 for FreeBSD. These vulnerabilities could potentially allow an attacker that has the ability to maintain a TCP or IP stream with a vulnerable component to send crafted packets that cause high CPU usage or CPU resource exhaustion leading to denial of service.
Vulnerable reassembly is provided by some Linux-based or FreeBSD-based operating systems. Customers managing Linux or FreeBSD platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates.
The following sections provide guidance on the impact and mitigation steps for Linux-based and FreeBSD-based Citrix products. Citrix products that do not include or execute on these platforms are not impacted by this vulnerability.
Windows-based components of XenDesktop and XenApp are not impacted by this issue.
What Citrix Is Doing
Citrix is in the process of analyzing the potential impact of this issue on currently supported products.
Product Details
ByteMobile ATM
ByteMobile ATM is affected by CVE-2018-5390 & CVE-2018-5391 and has been addresed in version 8.2.4.1.
Please contact support to access the updated version. More information on the 8.2.4.1 release can be found at the following location https://support.citrix.com/article/CTX228251
Citrix NetScaler
NetScaler MPX and NetScaler VPX are not impacted by CVE-2018-5390, CVE-2018-6922, CVE-2018-5391 and CVE-2018-6923
NetScaler SVM and NetScaler MAS are not impacted by CVE-2018-5390 & CVE-2018-5391
Citrix XenServer
Analysis of the impact of this issue on Citrix XenServer is in progress. This section will be updated as soon as additional information is available.
Citrix XenMobile
Analysis of the impact of this issue on Citrix XenMobile is in progress. This section will be updated as soon as additional information is available.
Citrix Receiver for Linux
Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Citrix Linux Virtual Desktop
Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Citrix Licensing
Analysis of the impact of this issue on Citrix Licensing is in progress. This section will be updated as soon as additional information is available.
Citrix XenDesktop Volume Worker Template
Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: https://aws.amazon.com/security/security-bulletins/AWS-2018-018/
The above list will be updated as the analysis into this issue progresses.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| August 8th 2018 | Initial bulletin published |
| August 16th 2018 | Added CVE-2018-5391 and CVE-2018-6923 details |
| November 13th 2018 | Added ByteMobile ATM |
