SACKPanic

SACK Panic and Other TCP Denial of Service Issues

CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Jonathan Looney discovered several flaws in the way that the Linux kernel's TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. A remote attacker could use these issues to perform denial of service attacks on a server.

Three CVEs have been assigned to these issues:

  • CVE-2019-11477 for a remote denial of service (system crash) known as SACK Panic

  • CVE-2019-11478 for a remote denial of service (resource exhaustion)

  • CVE-2019-11479 for a remote denial of service (resource exhaustion)

CVE-2019-11477 is the highest severity issue because a remote attacker can leverage it to immediately crash a system due to an integer overflow when processing TCP SACKs. It affects all current Ubuntu releases.

CVE-2019-11478 is also severe because it can have a significant impact on CPU performance when processing TCP SACKs - this affects systems running kernel versions 4.14 and older. This includes the Ubuntu 16.04 LTS base kernel and all currently maintained kernels of Ubuntu 14.04 ESM and Ubuntu 12.04 ESM.

CVE-2019-11479 can impact CPU performance while the TCP stack is handling a malicious session that was opened using a very small MSS value. The vulnerability has less of an impact than the other two issues. It affects all current Ubuntu releases. This issue will be addressed in a set of future Ubuntu kernel updates.

Mitigations

CVE-2019-11477 and CVE-2019-11478

You should update your kernel to the versions specified below in the Updates section and reboot. Alternatively, Canonical Livepatch updates will be available to mitigate these two issues without the need to reboot.

If neither of those options are possible at this time, you can mitigate the issue by temporarily disabling TCP SACK support:

 $ sudo sysctl -w net.ipv4.tcp_sack=0
 net.ipv4.tcp_sack = 0

IMPORTANT: The sysctl modification shown above is not persistent across reboots

The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable.

CVE-2019-11479

Ubuntu kernel updates are not yet available for CVE-2019-11479. Future Ubuntu kernel updates will be available for Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS which will provide a sysctl that allows the system administrator to define the MSS value that the system should honor when outgoing TCP segments.

In the meantime, you may use an iptables rule to define the MSS value accepted for new TCP sessions. The rule will need to be tailored to your network environment in order to ensure that you aren't blocking TCP connections containing reasonable MSS values for your environment. The addition of a simple rule that only allows MSS values greater than 500 bytes is shown here:

 $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Some firewalls may be implemented using nftables instead of iptables. The nftables equivalent is shown here:

 $ sudo nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using either of the firewall rules shown above. Ensure it is disabled using the following command:

 $ sysctl net.ipv4.tcp_mtu_probing
 net.ipv4.tcp_mtu_probing = 0

Updates

Ubuntu users are recommended to update to the latest kernel packages to receive updates for CVE-2019-11477 and CVE-2019-11478. The majority of users should ensure that the following kernel packages are installed:

Important: CVE-2019-11479 is not addressed in the kernel updates mentioned below. It will be fixed in a future Ubuntu kernel update.

Ubuntu Release

Base Kernel

Enablement Kernel

19.04

linux-image-5.0.0-17-generic 5.0.0-17.18

N/A

18.10

linux-image-4.18.0-22-generic 4.18.0-22.23

N/A

18.04 LTS

linux-image-4.15.0-52-generic 4.15.0-52.56

linux-image-4.18.0-22-generic 4.18.0-22.23~18.04.1

16.04 LTS

linux-image-4.4.0-151-generic 4.4.0-151.178

linux-image-4.15.0-52-generic 4.15.0-52.56~16.04.1

14.04 ESM

linux-image-3.13.0-171-generic 3.13.0-171.222

linux-image-4.4.0-151-generic 4.4.0-151.178~14.04.1

12.04 ESM

linux-image-3.2.0-141-generic 3.2.0-141.188

linux-image-3.13.0-171-generic 3.13.0-171.222~12.04.1


Users of other Ubuntu kernels should consult the Ubuntu Security Notices for specific version information.

References

For more information on these issues, please see the following reference documents:

Timeline

  • 2019 Jun 17 at 17:00 UTC: the issue is made public

SecurityTeam/KnowledgeBase/SACKPanic (last edited 2019-06-20 16:52:25 by tyhicks)