Date: Thu, 20 Jun 2019 12:56:22 -0500 From: Tyler Hicks <tyhicks@...onical.com> To: oss-security@...ts.openwall.com Cc: Security Report <security-report@...smail.netflix.com>, security-report@...flix.com, Arturo Borrero González <arturo@...filter.org> Subject: Re: Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service issues On 2019-06-17 10:33:38, Security Report wrote: > #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29) > > Description: A sequence of SACKs may be crafted such that one can trigger > an integer overflow, leading to a kernel panic. > > Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, > versions of the Linux kernel up to, and including, 4.14 require a second > patch (“PATCH_net_1a.patch”). > > Workaround #1: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). Netflix graciously provided this example iptables rule as a workaround: # iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP I have received a few questions about an equivalent nftables rule. I didn't have one but Arturo Borrero González has provided this equivalent rule: # nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop I did a simple test of sending SYN packets with MSS values of 500 and lower to a server that had the nftables rule loaded. The packets were dropped by the server with no SYN-ACK response. Bumping the MSS value up to 501 resulted in the SYN packet not being dropped and a proper SYN-ACK response. Consider adding the nftables rule as an alternative in any written advisories on SACK Panic. Thanks for the nftables rule, Arturo! Tyler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.