Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Jun 2019 12:56:22 -0500
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Security Report <security-report@...smail.netflix.com>,
	security-report@...flix.com,
	Arturo Borrero González <arturo@...filter.org>
Subject: Re: Linux and FreeBSD Kernel: Multiple TCP-based
 remote denial of service issues

On 2019-06-17 10:33:38, Security Report wrote:
> #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
> 
> Description: A sequence of SACKs may be crafted such that one can trigger 
> an integer overflow, leading to a kernel panic.
> 
> Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, 
> versions of the Linux kernel up to, and including, 4.14 require a second 
> patch (“PATCH_net_1a.patch”).
> 
> Workaround #1: Block connections with a low MSS using one of the attached 
> filters. (The values in the filters are examples. You can apply a higher or 
> lower limit, as appropriate for your environment.) Note that these filters 
> may break legitimate connections which rely on a low MSS. Also, note that 
> this mitigation is only effective if TCP probing is disabled (that is, the 
> net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
> default value for that sysctl).

Netflix graciously provided this example iptables rule as a workaround:

 # iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

I have received a few questions about an equivalent nftables rule. I
didn't have one but Arturo Borrero González has provided this equivalent
rule:

 # nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

I did a simple test of sending SYN packets with MSS values of 500 and
lower to a server that had the nftables rule loaded. The packets were
dropped by the server with no SYN-ACK response. Bumping the MSS value up
to 501 resulted in the SYN packet not being dropped and a proper SYN-ACK
response.

Consider adding the nftables rule as an alternative in any written
advisories on SACK Panic.

Thanks for the nftables rule, Arturo!

Tyler

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.