[opensuse] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack = 1) ?
All, Anyone know whether there is a planned fix for: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477 related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479 Suggested work-around: echo 0 > /proc/sys/net/ipv4/tcp_sack (default is 1) From El Reg: With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary (https://access.redhat.com/security/vulnerabilities/tcpsack) today. (had to resend from a day or so ago) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 6/20/19 6:00 PM, David C. Rankin wrote:
All,
Anyone know whether there is a planned fix for:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
related:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Suggested work-around:
echo 0 > /proc/sys/net/ipv4/tcp_sack
(default is 1)
From El Reg:
With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary (https://access.redhat.com/security/vulnerabilities/tcpsack) today.
The SUSE site recommended this as one option, until the kernel is updated: iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP I tried it and it doesn't seem to have broken anything yet. I read somewhere that turning off tcp_sack has network performance issues. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
The SUSE site recommended this as one option, until the kernel is updated:
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
I tried it and it doesn't seem to have broken anything yet.
You are unlikely to find any genuine traffic with an mss that small. I have exactly _one_ situation where I restrict MSS to 1440, it involves ipip links and a broken PMTU discovery. -- Per Jessen, Zürich (17.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-06-20 07:00 PM, David C. Rankin wrote:
All,
Anyone know whether there is a planned fix for:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
related:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Suggested work-around:
echo 0 > /proc/sys/net/ipv4/tcp_sack
(default is 1)
From El Reg:
With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary (https://access.redhat.com/security/vulnerabilities/tcpsack) today.
(had to resend from a day or so ago)
This was already resolved on the 18th. The CVE you mention is specifically stated. See for example https://lists.opensuse.org/opensuse-updates/2019-06/msg00088.html Separate messages were sent out for each of 42.3 and 15.* -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Darryl Gregorash
-
David C. Rankin
-
Lew Wolfgang
-
Per Jessen