CVE-2019-10638: Weak Encryption
A flaw was found in the way the Linux kernel derived the IP ID field from a partial kernel space address returned by a nethashmix() function. A remote user could observe a weak IP ID generation in this field to track Linux devices.
Other sources
In the Linux kernel before 5.1.7 a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g. UDP and ICMP). When such traffic is sent to multiple destination IP addresses it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.
— Microsoft
In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.
Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the use of IP ID values for connection-less protocols. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain the hash collisions then enumerate the hashing key.
— IBM
When IP packet fragmentation is ON, IP Identification(ID) field of the IP header is used, during packet reassembly on the destination host, to identify fragments which belong to the same packet. IP ID field is required to be unique and same across all fragments of an IP packet. IP packet fragments are identified by a tuple with following fields
(source address|destination address|protocol|IP-ID)
The Linux kernel derived this IP ID field from partial kernel space address returned by nethashmix() function, which is then used with a hash function to compute the IP ID field.
A remote user could observe this IP ID field to deduce the hash key used to derive its value. This could enable a remote user to track particular Linux devices.
Upstream fix: ------------- -> https://git.kernel.org/linus/df453700e8d81b1bdafdf684365ee2b9431fb702
Issue introduced by: -------------------- -> https://git.kernel.org/linus/b6a7719aedd7e5c0f2df7641aa47386111682df4 -> https://git.kernel.org/linus/5a352dd0a3aac03b443c94828dfd7144261c8636
— Red Hat
Affected Software
Remediation
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is the severity of CVE-2019-10638?
CVE-2019-10638 is categorized as a medium severity vulnerability affecting the Linux kernel.
How do I fix CVE-2019-10638?
To fix CVE-2019-10638, update the Linux kernel to version 5.1.7 or later, or apply the relevant patches provided by your Linux distribution.
What systems are affected by CVE-2019-10638?
CVE-2019-10638 affects versions of the Linux kernel prior to 5.1.7 and specific Red Hat and IBM products listed in the vulnerability details.
What type of vulnerability is CVE-2019-10638?
CVE-2019-10638 is a tracking vulnerability that allows remote users to observe weak IP ID generation, potentially compromising device privacy.
Is CVE-2019-10638 exploitable remotely?
Yes, CVE-2019-10638 can be exploited by remote users to observe and track Linux devices.