Skip to Content.
Sympa Menu

perfsonar-announce - [perfsonar-announce] New CVE for Linux TCP SACK Panic

Subject: perfSONAR Announcements

List archive

[perfsonar-announce] New CVE for Linux TCP SACK Panic


Chronological Thread 
  • From: Andrew Lake <>
  • To:
  • Cc:
  • Subject: [perfsonar-announce] New CVE for Linux TCP SACK Panic
  • Date: Tue, 18 Jun 2019 10:48:16 -0700

All,

There is a CVE for a new vulnerability making the rounds related to the TCP stack. Below is a note that when to the trusted CI vulnerability list (https://trustedci.org/trustedci-email-lists) that has some really good details. 

There is nothing specific to perfSONAR beyond any other Linux host. perfSONAR does not change the TCP settings in question from the defaults, meaning tcp_sack is enabled. It is recommended you update your kernel when it is made available by your chosen CentOS or Debian distribution. If you feel you can’t wait and are willing to accept any performance implications, you can disable tcp sack (again see below). If you are unsure the best course of action it is recommended you consult your local system administrators. 

Thanks,
The perfSONAR Team  


On June 18, 2019 at 1:30:48 PM, Andrew Lake () wrote:

On June 18, 2019 at 10:51:08 AM, Andrew K Adams () wrote:


CI Operators:


Three new vulnerabilities were announced that affect the Linux TCP networking stack [1][2][3][4][5]. The most serious of the three, CVE-2019-11477, was rated as important. This vulnerability, a mishandling of TCP SACK fragments (an efficiency in the TCP acknowledgement process) within Linux’s socket buffer, can be exploited by specially crafted TCP packets. These packets will have the Maximum Segment Size (MSS) set to a small value (to increase the number of segments needed, and thus, fragments in the socket buffer), and each packet in the sequence will have specific SACK requests set.


Impact:

A malicious actor could cause a Linux kernel panic possibly resulting in a DoS when SACK is enabled.


Recommendation:

Apply kernel patches during next maintenance schedule.


If applying the patch is intractable, you can alternatively disable TCP SACK by setting /proc/sys/net/ipv4/tcp_sack to 0 with the following command.


# sysctl -w net.ipv4.tcp_sack=0


Alternatively, instead of disabling SACK, you can block packets with a small MSS value using a firewall. However, this could lead to blocking legitimate traffic.


Affected Software:

* Linux Kernel >= 2.6.29 (i.e., nearly every Linux distribution)


References:

[1]  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

[2]  https://access.redhat.com/security/vulnerabilities/tcpsack

[3]  https://access.redhat.com/security/cve/cve-2019-11477

[4]  https://access.redhat.com/security/cve/cve-2019-11478

[5]  https://access.redhat.com/security/cve/cve-2019-11479


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.




  • [perfsonar-announce] New CVE for Linux TCP SACK Panic, Andrew Lake, 06/18/2019

Archive powered by MHonArc 2.6.19.

Top of Page