= SACK Panic and Other TCP Denial of Service Issues = == CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 == Jonathan Looney [[ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | discovered several flaws ]] in the way that the Linux kernel's TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. A remote attacker could use these issues to perform denial of service attacks on a server. Three CVEs have been assigned to these issues: * [[ https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html | CVE-2019-11477 ]] for a remote denial of service (system crash) known as SACK Panic * [[ https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html | CVE-2019-11478 ]] for a remote denial of service (resource exhaustion) * [[ https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html | CVE-2019-11479 ]] for a remote denial of service (resource exhaustion) CVE-2019-11477 is the highest severity issue because a remote attacker can leverage it to immediately crash a system due to an integer overflow when processing TCP SACKs. It affects all current Ubuntu releases. CVE-2019-11478 is also severe because it can have a significant impact on CPU performance when processing TCP SACKs - this affects systems running kernel versions 4.14 and older. This includes the Ubuntu 16.04 LTS base kernel and all currently maintained kernels of Ubuntu 14.04 ESM and Ubuntu 12.04 ESM. CVE-2019-11479 can impact CPU performance while the TCP stack is handling a malicious session that was opened using a very small MSS value. The vulnerability has less of an impact than the other two issues. It affects all current Ubuntu releases. This issue will be addressed in a set of future Ubuntu kernel updates. == Mitigations == === CVE-2019-11477 and CVE-2019-11478 === You should update your kernel to the versions specified below in the `Updates` section and reboot. Alternatively, [[ https://ubuntu.com/livepatch | Canonical Livepatch ]] updates will be available to mitigate these two issues without the need to reboot. If neither of those options are possible at this time, you can mitigate the issue by temporarily disabling TCP SACK support: {{{ $ sudo sysctl -w net.ipv4.tcp_sack=0 net.ipv4.tcp_sack = 0 }}} '''IMPORTANT:''' The sysctl modification shown above is not persistent across reboots The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable. === CVE-2019-11479 === Ubuntu kernel updates are not yet available for CVE-2019-11479. Future Ubuntu kernel updates will be available for Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS which will provide a sysctl that allows the system administrator to define the MSS value that the system should honor when outgoing TCP segments. In the meantime, you may use an `iptables` rule to define the MSS value accepted for new TCP sessions. The rule will need to be tailored to your network environment in order to ensure that you aren't blocking TCP connections containing reasonable MSS values for your environment. The addition of a simple rule that only allows MSS values greater than 500 bytes is shown here: {{{ $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP }}} Some firewalls may be implemented using `nftables` instead of `iptables`. The `nftables` equivalent is shown here: {{{ $ sudo nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop }}} '''IMPORTANT:''' The `net.ipv4.tcp_mtu_probing` sysctl must be disabled (set to 0) when using either of the firewall rules shown above. Ensure it is disabled using the following command: {{{ $ sysctl net.ipv4.tcp_mtu_probing net.ipv4.tcp_mtu_probing = 0 }}} == Updates == Ubuntu users are recommended to update to the latest kernel packages to receive updates for CVE-2019-11477 and CVE-2019-11478. The majority of users should ensure that the following kernel packages are installed: '''Important:''' CVE-2019-11479 is not addressed in the kernel updates mentioned below. It will be fixed in a future Ubuntu kernel update. || '''Ubuntu Release''' || '''Base Kernel''' || '''Enablement Kernel''' || || 19.04 || [[ https://launchpad.net/ubuntu/+source/linux/5.0.0-17.18 | linux-image-5.0.0-17-generic 5.0.0-17.18 ]] || N/A || || 18.10 || [[ https://launchpad.net/ubuntu/+source/linux/4.18.0-22.23 | linux-image-4.18.0-22-generic 4.18.0-22.23 ]] || N/A || || 18.04 LTS || [[ https://launchpad.net/ubuntu/+source/linux/4.15.0-52.56 | linux-image-4.15.0-52-generic 4.15.0-52.56 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe/4.18.0-22.23~18.04.1 | linux-image-4.18.0-22-generic 4.18.0-22.23~18.04.1 ]] || || 16.04 LTS || [[ https://launchpad.net/ubuntu/+source/linux/4.4.0-151.178 | linux-image-4.4.0-151-generic 4.4.0-151.178 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-52.56~16.04.1 | linux-image-4.15.0-52-generic 4.15.0-52.56~16.04.1 ]] || || 14.04 ESM || linux-image-3.13.0-171-generic 3.13.0-171.222 || linux-image-4.4.0-151-generic 4.4.0-151.178~14.04.1 || || 12.04 ESM || linux-image-3.2.0-141-generic 3.2.0-141.188 || linux-image-3.13.0-171-generic 3.13.0-171.222~12.04.1 || <
> Users of other Ubuntu kernels should consult the [[ https://usn.ubuntu.com/ | Ubuntu Security Notices ]] for specific version information. == References == For more information on these issues, please see the following reference documents: * [[ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | Netflix Security Advisory (NFLX-2019-001) ]] * [[ https://tools.ietf.org/html/rfc2018 | TCP Selective Acknowledgement Options ]] == Timeline == * 2019 Jun 17 at 17:00 UTC: the issue is made public