CVE-2018-5390

[fmrtn]

Is pve-kernel affected by this vulnerability?

 

[Stoiko Ivanov]

yes - a fix is in the making: https://pve.proxmox.com/pipermail/pve-devel/2018-August/033299.html

 

[Stoiko Ivanov]

The pve-kernel (pve-kernel-4.15.18-1-pve_4.15.18-18_amd64.deb) containing the fix is now in our testing repository (https://pve.proxmox.com/wiki/Package_Repositories)

 

[Sralityhe]

Thats great news.

One question: since its kvm and the network devices are bridged, the host cant be attacked by attacking a guest right?

My hosts are behind a firewall, so i should be good to go?

Kind regards

 

[Stoiko Ivanov]

The attack is a DOS exhausting CPU resources by sending tiny tcp-segments out of order - thus if one of your guests is attacked it would end up wasting the CPUs you've assigned to it, which, depending on your config, could affect the host.

The effect and protection of the firewall depend on it's workings (if it does tcp-reassembly, and sends a reassembled stream to the host, then this should help) and patchlevel (quite a few firewall vendors base their solutions on linux as well and thus could potentially be affected by this bug).

HTH

 

[Sralityhe]

Thank you for your answer!

I see, most of my vms are allready patched, expect the centos onces since there is no upstream patch so far.

The firewall is indeed using a linux kernel, i will keep this in mind.

Kind regards!