[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service issues
From:       Tyler Hicks <tyhicks () canonical ! com>
Date:       2019-06-20 17:56:22
Message-ID: 20190620175621.GB2646 () lindsey
[Download RAW message or body]

On 2019-06-17 10:33:38, Security Report wrote:
> #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
> 
> Description: A sequence of SACKs may be crafted such that one can trigger 
> an integer overflow, leading to a kernel panic.
> 
> Fix: Apply the attached patch ("PATCH_net_1_4.patch"). Additionally, 
> versions of the Linux kernel up to, and including, 4.14 require a second 
> patch ("PATCH_net_1a.patch").
> 
> Workaround #1: Block connections with a low MSS using one of the attached 
> filters. (The values in the filters are examples. You can apply a higher or 
> lower limit, as appropriate for your environment.) Note that these filters 
> may break legitimate connections which rely on a low MSS. Also, note that 
> this mitigation is only effective if TCP probing is disabled (that is, the 
> net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
> default value for that sysctl).

Netflix graciously provided this example iptables rule as a workaround:

 # iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

I have received a few questions about an equivalent nftables rule. I
didn't have one but Arturo Borrero González has provided this equivalent
rule:

 # nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

I did a simple test of sending SYN packets with MSS values of 500 and
lower to a server that had the nftables rule loaded. The packets were
dropped by the server with no SYN-ACK response. Bumping the MSS value up
to 501 resulted in the SYN packet not being dropped and a proper SYN-ACK
response.

Consider adding the nftables rule as an alternative in any written
advisories on SACK Panic.

Thanks for the nftables rule, Arturo!

Tyler
[prev in list] [next in list] [prev in thread] [next in thread]