CVE-2017-7397 in Linux
Summary
by MITRE
BackBox Linux 4.6 allows remote attackers to cause a denial of service (ksoftirqd CPU consumption) via a flood of packets with Martian source IP addresses (as defined in RFC 1812 section 5.3.7). This product enables net.ipv4.conf.all.log_martians by default.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/05/2024
The vulnerability identified as CVE-2017-7397 affects BackBox Linux version 4.6 and represents a significant denial of service weakness that can be exploited remotely through network packet manipulation. This issue stems from the system's default configuration that enables the net.ipv4.conf.all.log_martians parameter, which creates a critical operational flaw in network packet processing. The vulnerability specifically targets the kernel's soft interrupt handling mechanism, where ksoftirqd processes consume excessive cpu cycles when encountering packets with Martian source IP addresses, as defined in RFC 1812 section 5.3.7.
Martian source IP addresses are those that are explicitly forbidden by internet standards and include addresses like the loopback address 127.0.0.0/8, multicast addresses, and other reserved address ranges that should never appear as source addresses in legitimate network traffic. When a system receives packets with these invalid source addresses, the default configuration of BackBox Linux 4.6 causes the kernel to log each occurrence, leading to a massive increase in system overhead and potential system instability. The ksoftirqd process which handles network soft interrupts becomes overwhelmed with logging operations, consuming nearly all available cpu resources and effectively rendering the system unresponsive to legitimate network traffic.
The operational impact of this vulnerability extends beyond simple service disruption as it creates a resource exhaustion condition that can affect system stability and availability. Attackers can exploit this weakness by flooding the target system with packets containing Martian source addresses, causing the kernel to spend excessive time processing log entries rather than handling legitimate network operations. This type of attack aligns with the attack pattern described in the attack tree framework where resource exhaustion attacks target system components to create denial of service conditions. The vulnerability demonstrates a clear weakness in the system's network stack configuration and logging mechanisms, representing a failure to properly handle malformed network traffic according to established security practices.
This vulnerability maps directly to CWE-400, which describes unchecked resource consumption, and aligns with the broader category of denial of service attacks within the MITRE ATT&CK framework. The issue occurs at the network layer of the OSI model where the system fails to properly filter or handle invalid network packets. The default enabling of log_martians creates an implicit trust in the logging infrastructure without proper resource management or rate limiting controls. Security practitioners should note that this vulnerability reflects poor security configuration management practices and highlights the importance of implementing proper network access controls and traffic filtering mechanisms. The recommended mitigation involves disabling the net.ipv4.conf.all.log_martians parameter or implementing proper rate limiting controls to prevent the system from being overwhelmed by excessive logging operations, while also ensuring that the system properly filters Martian addresses at the network level rather than relying solely on logging mechanisms that can be exploited for resource exhaustion attacks.