Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Linux TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Linux TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] Linux TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
  • Date: Tue, 18 Jun 2019 11:49:41 -0400
  • Authentication-results: external-relay.iu.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay12.mail.gandi.net
  • Ironport-phdr: 9a23:voL4gxK2QXSbxiokbtmcpTZWNBhigK39O0sv0rFitYgeIvrxwZ3uMQTl6Ol3ixeRBMOHsqgC07Kd7fuoGTRZp8rY6TZaKN0EfiRGoP1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJ6KevvB4Hdkdm82fys9J3PeQVIgye2ba9vIBmsogjdq9cajZF+JqotxRfEo3VFcPlSyW90OF6fhRnx6tqt8JJ57yhcp/ct/NNcXKvneKg1UaZWByk8PWAv483ruxjDTQ+R6XYZT24bjBlGDRXb4R/jRpv+vTf0ueR72CmBIM35Vqs0Vii476dqUxDnliEKPCMk/W7Ni8xwiKVboA+9pxF63oXZbp2ZOOZ4c6jAZt4RW3ZPUdhNWCxAGoO8bpUAD+wdPeZDsoLxo0ICoQaiCQWwAe/izCJDiH3r0q0gy+kuHgHI0gIjEdwTrnrbsM74O70OXe2v1qTE0SnPYvFQ1Dzg6IbIaBchofSUUL9sd8re1FMvGB3Lj16NrILuIi+Y2fkXvGie9OprSOWihHQkqw5rvzeg3MIsipLSi4IN0VDL6T91z5goKt2lUUN2Z8OvHpVXtyGfLYR2Q8UiTnlyuCkk17IGuYS0fDQQxJs7wB7fbuSLc4eJ4hL/VOaRPCx3iGh5d7K4gha+6VSgyvfhVsmvzFZFsDdKncXNtnwX0BzT8MeHR/1g9UmiwTaCzx7f5vxGLEwul6fXN4QtzqMym5cQq0jPACH7lFvugKOIakkp/vKk5ufnb7n8uJOQKZF4hhv+P6gznMG0HP42PRIUX2eB/OSxzL3j8lP9QLVNlvA2iLfWsJTAKsUbu6K1HRVZ0oM55Ba+CzeqytsYkmMBLF1YeRKLlY7pNE/SIPzgDPe/hUqjkCtzyvzYI7HsAI/BI3rfnLv7YLpw6U1RxBAtwd1R+Z5YErQBL+jyWk/1utzYFBg5Mwmszun9C9VyzJ4RVniKAq+CK67SqUSI6f41L+aSeYAVpS7xK+I56P72kX85hVgdcLG10psJcXy3BPJmI0OeYXrxhNcODXkFshM6TOHxjF2CUCVTZ2qoU6I9+zE3EpypApreRtPlvLvU1zn+F5tQYX1AAV2kDW31bJmJV/wNLiWILZxPiDsBAJGnR5UsylmN/Cb2wr98Zr7d+SQUvJf4/MBu7KvemQxkpm88NNiUz2zYFzI8pWgPXTJjmfkn+RYnmH6ezah1heBZHtVP5vRPFz03LoPY0/cjVoGgVxLdc82PQVLjWNiiCCB3T893ztMTMA5mA9v3th3Z2gewGbgP36eOGIRy6rjVinHyLsp0zm3uzLIqyVQqX5gHLnWo05V4+RT9Do/N216ci77scK0d2CDX82LWxGmHsEhdSyZoSq6DUHwCNQPNtdqswETEQve1DKg/dAtMzcnXMqxRdtjglklLXt/5NdDXcjvr3WK5BBLOybqKYIusfWgBhX+PMkUPngEN8HrDDjAQWnj98VrTFjlDD0joeQus/PlipWm9R0tx1QyOZlwn1qfz9xII17SXQvUV2a5MsyA7sTh/AFKsurCeQ9uGuwd7ZL9RfZsm7VFL2HiRvhFhPpGmM6Fph0IPOwVxsUT00hxrC4JG2cYwq3ZiwA13IKOemFRPElHQlZnzM7HeL3La5AukLaPaxxCW0dqb/LsO9OVts0/q70miEksv9Wki0sEAiSLDoMqSSlNNAdSrCRxkknoy76vXaSQ8+Y7OgHB8LaSutDbGnsgkAOI0jBe9OdpTLfDhdke6HssECsypMOFvlUKua0dONeNb+KcxJOu+bPDA1aK2drUojHe9gGJL7ZoomEuP/iZ1T/Xgx40OhfyUw0HUMlW0xEfkucfxl4deYDgUFWfq0inoCrlaYahqdJoKA2OjcIWng89zjJn3VztE5UauUhkYjdSxd0DUNxauuG8YnVRSu3GsnjG0iiB5gy185LTKxzTAmaK6MwIdMyZOVCFjlQu+eNLkyYlKBg7wKVBuzUXAhw6yxrAH9v0udS+KGR4OJnOnaTklCPf4t6LcMZQXsMp67CgHArb7Ogr/KPa1oh0R1z7vEjlp3yg1MT6tvZr9klpxj2fVLXB4qGfVdJN9nxLWotrRWbZH1z4CDnAi2wPaDVW9IdSluO6sucuc6rKFUGy9eJRSdWGrwJOcuTG97GkvGxC7luH1m8ChHAQng2f30NxjVCOAqxiZAMGj3qezPetiZWFwH1S65sZnUoBl2oo2j5UR33UWzomStXwAjS//PM5a1qT3cHdFH2dUhYGNplG6iAs5dSjspcqxX27V2sZ7Ytimfm4akjkw6cxHEubc7bBJmzd0vkvtqAvQZfZnmTJOrJlmoHUeguwPpE8s1nDHW+9UQhEeZHO80U7TtYP2tqhcaWexfKLl2VpikMqnBbXHuAxYUWe/e4pkECNtvaAdeBrB1mP+7ob8dZzed9UW41edkB7Mhu1OAIoqnbwHiTctairt+GYozeI2l0kk1JKzsIGCME1156n/DxJFfG6QBYtb6nTmiqBQmdyT1oakE8B6GzkFa5DvSOqhDDMYsfm0fxbLCjA3rW2XXKbOBQLKolkztGrBStr4UhPfbGlc19hpQwORYVBSkBxBFitvhYY3T0iv1ITgaBsrv2pBoAeo8F0UjLovbkeaMC+XpR/0OG5lEt7GdEMQt1oToR+Sa5DW7/otTXsApsTz8QHdeD7cPF4tbylBW0qPA03vM+uZ/sHOteefAeW6Ir3FZrDGqOpVU+qEyMCiiI5vuTCBKo2ZN31mRaRhiHBOVn14BcnV3g43ZXdNzHDraMiW7Fex6jF6tMa29LHxVQbm9M2OFv1fPcg9sxaxybyOMeKdnm5wNCpY25UQxHTJ1Kl6vhZaiidgcCOoGKgBsiiFRbzZm6teBRoWIy1pM84A46U51whLccnV77G9nqZ/leIwAkxZWEbJgMytbN1TeSe4PVLDQkmCMriHYzvG34C/YK+xT6FRkPQBtxC0vmX+cQerNTCCmj/1EhG3ZLsV02fEZFoH59H7KE03WiD5QdnrawO2Kop6nSE727s9gjbQOGoVIH59bgVAoqDDiEEQyvh5BWFF6WJoaOeenCPMpeDbI5oftOBDGj9/0e9W/T5prtkdpDEBX/FzlCbI+5R2pEq6l+CU1jd9eABDrj9a3djNuExjPePW/59MWDDC8Q5HvgDyQ1wa4tBiDNPooaVZzNPCwbnyJDl1+NXR5cIABsLQJZvaYkpkCgLgHXvvNCVATTOvMjuD1VZQlPiDryfTq5E7rt7jkZwCS/ldWUBnTqpLWHQgJ8QLJdJMZh1hlLeaiMAS4n/v/gHKT4NXso2VDavOU8WqEy6QiPx/XzVN2anxfNYLLYa91kB/OAd3

CI Operators:


Three new vulnerabilities were announced that affect the Linux TCP networking stack [1][2][3][4][5]. The most serious of the three, CVE-2019-11477, was rated as important. This vulnerability, a mishandling of TCP SACK fragments (an efficiency in the TCP acknowledgement process) within Linux’s socket buffer, can be exploited by specially crafted TCP packets. These packets will have the Maximum Segment Size (MSS) set to a small value (to increase the number of segments needed, and thus, fragments in the socket buffer), and each packet in the sequence will have specific SACK requests set.


Impact:

A malicious actor could cause a Linux kernel panic possibly resulting in a DoS when SACK is enabled.


Recommendation:

Apply kernel patches during next maintenance schedule.


If applying the patch is intractable, you can alternatively disable TCP SACK by setting /proc/sys/net/ipv4/tcp_sack to 0 with the following command.


# sysctl -w net.ipv4.tcp_sack=0


Alternatively, instead of disabling SACK, you can block packets with a small MSS value using a firewall. However, this could lead to blocking legitimate traffic.


Affected Software:

* Linux Kernel >= 2.6.29 (i.e., nearly every Linux distribution)


References:

[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

[2] https://access.redhat.com/security/vulnerabilities/tcpsack

[3] https://access.redhat.com/security/cve/cve-2019-11477

[4] https://access.redhat.com/security/cve/cve-2019-11478

[5] https://access.redhat.com/security/cve/cve-2019-11479


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.




  • [cv-announce-l] Linux TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479), Andrew K Adams, 06/18/2019

Archive powered by MHonArc 2.6.24.

Top of Page