Lucene search

K
certCERTVU:905115
HistoryJun 20, 2019 - 12:00 a.m.

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

2019-06-2000:00:00
www.kb.cert.org
294

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.974 High

EPSS

Percentile

99.9%

Overview

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels.

Description

CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted selective acknowledgements (SACK) may trigger an integer overflow, leading to a denial of service or possible kernel failure (panic).

CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted selective acknowledgements (SACK) may cause a fragmented TCP queue, with a potential result in slowness or denial of service.

CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large, thus consuming CPU or network resources, resulting in slowness or denial of service.

CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The default maximum segment size (MSS) is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface, resulting in slowness or denial of service.

For detailed descriptions of these vulnerabilities, see: <https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md&gt;


Impact

A remote attacker could cause a kernel crash (CVE-2019-11477) or excessive resource consumption leading to a delay or denial of service.


Solution

Apply Patches
Several vendors have already issued patches and made efforts to contact their user base. See the vendor list below for details from specific vendors. If your vendor is not listed, please check their web pages or contact them directly.


Several vendors have issued workarounds. See the vendor list below for details from specific vendors.


Vendor Information

905115

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Arch Linux __ Affected

Notified: June 19, 2019 Updated: June 20, 2019

Statement Date: June 20, 2019

Status

Affected

Vendor Statement

`You can find information about which packages (variants) a CVE affected
and if (plus when) a package was fixed on our security tracker:

[https://security.archlinux.org/CVE-2019-11477`](<https://security.archlinux.org/CVE-2019-11477&gt;) https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479`

We have also published advisories to our distro specific mailinglists
and on the security tracker which you will find below. The advisories
contain workarounds that we recommended.`

Vendor Information

`To summarize the fixed versions there:

kernel: linux
affected: 5.1.10.arch1-1
fixed: 5.1.11.arch1-1
advisory: &lt;https://security.archlinux.org/ASA-201906-13&gt;

kernel: linux-lts
affected: 4.19.51-1
fixed: 4.19.52-1
advisory: [https://security.archlinux.org/ASA-201906-14`](<https://security.archlinux.org/ASA-201906-14&gt;)`

kernel: linux-hardened
affected: 4.19.52-1
fixed: 5.1.11.a-1
advisory: [https://security.archlinux.org/ASA-201906-12`](<https://security.archlinux.org/ASA-201906-12&gt;)`

kernel: linux-zen
affected: 5.1.10.zen1-1
fixed: 5.1.11.zen1-1
advisory: [https://security.archlinux.org/ASA-201906-15`](<https://security.archlinux.org/ASA-201906-15&gt;)

Vendor References

Arista Networks, Inc. __ Affected

Notified: June 19, 2019 Updated: July 08, 2019

Statement Date: July 05, 2019

Status

Affected

Vendor Statement

Affected…

Vendor Information

https://www.arista.com/en/support/advisories-notices/security-advisories/8066-security-advisory-41 which provides tracking, mitigation, and long term fix information.

Vendor References

Check Point Software Technologies __ Affected

Updated: June 27, 2019

Statement Date: June 25, 2019

Status

Affected

Vendor Statement

Check Point is vulnerable to CVE-2019-11478 and in some releases also to CVE-2019-11477. Check Point software is not vulnerable to CVE-2019-11479 or the FreeBSD

CVEs.

Vendor Information

The vulnerability to the 2 CVEs is only relevant to traffic directed to or from the gateway or management machines. Traffic going through the gateway for inspection is not affected by the vulnerabilities and won’t be affected by disabling SACK. There is a mitigation to the 2 relevant CVEs which is to disable SACK.

Vendor References

CoreOS __ Affected

Notified: June 19, 2019 Updated: June 20, 2019

Statement Date: June 19, 2019

Status

Affected

Vendor Statement

These vulnerabilities were addressed in CoreOS Container Linux alpha 2163.2.1, beta 2135.3.1, and stable 2079.6.0. Previous versions of CoreOS Container Linux are affected.

Vendor References

Debian GNU/Linux __ Affected

Notified: June 19, 2019 Updated: June 20, 2019

Statement Date: June 20, 2019

Status

Affected

Vendor Statement

Advisory at https://www.debian.org/security/2019/dsa-4465

Vendor References

FreeBSD Project __ Affected

Updated: June 20, 2019

Status

Affected

Vendor Statement

Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

Vendor References

Red Hat, Inc. Affected

Notified: June 19, 2019 Updated: June 20, 2019

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SUSE Linux __ Affected

Notified: June 19, 2019 Updated: June 20, 2019

Statement Date: June 19, 2019

Status

Affected

Vendor Statement

Updates issued on Monday, June 17, 2019

Vendor References

Synology __ Affected

Notified: June 19, 2019 Updated: June 24, 2019

Statement Date: June 21, 2019

Status

Affected

Vendor Statement

Synology has confirmed our products are affected, and we have published a security advisory for your reference:
<https://www.synology.com/security/advisory/Synology_SA_19_28&gt;

Vendor Information

CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM).

Vendor References

Ubuntu __ Affected

Notified: June 19, 2019 Updated: June 20, 2019

Statement Date: June 19, 2019

Status

Affected

Vendor Statement

`We have a KnowledgeBase page here:

[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic`](<https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic&gt;)`

We released updates for CVE-2019-11477 and CVE-2019-11478. The corresponding Ubuntu Security Notices can be found here:

[https://usn.ubuntu.com/4017-1/`](<https://usn.ubuntu.com/4017-1/&gt;) https://usn.ubuntu.com/4017-2/

Vendor Information

A set of future Ubuntu kernel updates will address the sysctl-based mitigation for CVE-2019-11479..

Vendor References

Microsoft Not Affected

Notified: June 19, 2019 Updated: June 27, 2019

Statement Date: June 27, 2019

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alpine Linux Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aspera Inc. Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Marconi, Inc. Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tizen Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: June 19, 2019 Updated: June 19, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 22 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 5.3 AV:N/AC:L/Au:–/C:C/I:C/A:C
Temporal 5 E:ND/RL:W/RC:C
Environmental 5.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Jonathan Looney (Netflix Information Security)

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-5599
Date Public: 2019-06-17 Date First Published:

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.974 High

EPSS

Percentile

99.9%