perfsonar-announce - [perfsonar-announce] New CVE for Linux TCP SACK Panic
Subject: perfSONAR Announcements
List archive
- From: Andrew Lake <>
- To:
- Cc:
- Subject: [perfsonar-announce] New CVE for Linux TCP SACK Panic
- Date: Tue, 18 Jun 2019 10:48:16 -0700
On June 18, 2019 at 1:30:48 PM, Andrew Lake () wrote:
On June 18, 2019 at 10:51:08 AM, Andrew K Adams () wrote:
CI Operators:
Three new vulnerabilities were announced that affect the Linux TCP networking stack [1][2][3][4][5]. The most serious of the three, CVE-2019-11477, was rated as important. This vulnerability, a mishandling of TCP SACK fragments (an efficiency in the TCP acknowledgement process) within Linux’s socket buffer, can be exploited by specially crafted TCP packets. These packets will have the Maximum Segment Size (MSS) set to a small value (to increase the number of segments needed, and thus, fragments in the socket buffer), and each packet in the sequence will have specific SACK requests set.
Impact:
A malicious actor could cause a Linux kernel panic possibly resulting in a DoS when SACK is enabled.
Recommendation:
Apply kernel patches during next maintenance schedule.
If applying the patch is intractable, you can alternatively disable TCP SACK by setting /proc/sys/net/ipv4/tcp_sack to 0 with the following command.
# sysctl -w net.ipv4.tcp_sack=0
Alternatively, instead of disabling SACK, you can block packets with a small MSS value using a firewall. However, this could lead to blocking legitimate traffic.
Affected Software:
* Linux Kernel >= 2.6.29 (i.e., nearly every Linux distribution)
References:
[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
[2] https://access.redhat.com/security/vulnerabilities/tcpsack
[3] https://access.redhat.com/security/cve/cve-2019-11477
[4] https://access.redhat.com/security/cve/cve-2019-11478
[5] https://access.redhat.com/security/cve/cve-2019-11479
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [perfsonar-announce] New CVE for Linux TCP SACK Panic, Andrew Lake, 06/18/2019
Archive powered by MHonArc 2.6.19.