7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.974 High
EPSS
Percentile
99.9%
Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels.
CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted selective acknowledgements (SACK) may trigger an integer overflow, leading to a denial of service or possible kernel failure (panic).
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted selective acknowledgements (SACK) may cause a fragmented TCP queue, with a potential result in slowness or denial of service.
CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large, thus consuming CPU or network resources, resulting in slowness or denial of service.
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The default maximum segment size (MSS) is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface, resulting in slowness or denial of service.
For detailed descriptions of these vulnerabilities, see: <https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>
A remote attacker could cause a kernel crash (CVE-2019-11477) or excessive resource consumption leading to a delay or denial of service.
Apply Patches
Several vendors have already issued patches and made efforts to contact their user base. See the vendor list below for details from specific vendors. If your vendor is not listed, please check their web pages or contact them directly.
Several vendors have issued workarounds. See the vendor list below for details from specific vendors.
905115
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 19, 2019 Updated: June 20, 2019
Statement Date: June 20, 2019
Affected
`You can find information about which packages (variants) a CVE affected
and if (plus when) a package was fixed on our security tracker:
[
https://security.archlinux.org/CVE-2019-11477`](<https://security.archlinux.org/CVE-2019-11477>)
https://security.archlinux.org/CVE-2019-11478
https://security.archlinux.org/CVE-2019-11479
`
We have also published advisories to our distro specific mailinglists
and on the security tracker which you will find below. The advisories
contain workarounds that we recommended.`
`To summarize the fixed versions there:
kernel: linux
affected: 5.1.10.arch1-1
fixed: 5.1.11.arch1-1
advisory: <https://security.archlinux.org/ASA-201906-13>
kernel: linux-lts
affected: 4.19.51-1
fixed: 4.19.52-1
advisory: [
https://security.archlinux.org/ASA-201906-14`](<https://security.archlinux.org/ASA-201906-14>)`
kernel: linux-hardened
affected: 4.19.52-1
fixed: 5.1.11.a-1
advisory: [
https://security.archlinux.org/ASA-201906-12`](<https://security.archlinux.org/ASA-201906-12>)`
kernel: linux-zen
affected: 5.1.10.zen1-1
fixed: 5.1.11.zen1-1
advisory: [
https://security.archlinux.org/ASA-201906-15`](<https://security.archlinux.org/ASA-201906-15>)
Notified: June 19, 2019 Updated: July 08, 2019
Statement Date: July 05, 2019
Affected
Affected…
https://www.arista.com/en/support/advisories-notices/security-advisories/8066-security-advisory-41 which provides tracking, mitigation, and long term fix information.
Updated: June 27, 2019
Statement Date: June 25, 2019
Affected
Check Point is vulnerable to CVE-2019-11478 and in some releases also to CVE-2019-11477. Check Point software is not vulnerable to CVE-2019-11479 or the FreeBSD
CVEs.
The vulnerability to the 2 CVEs is only relevant to traffic directed to or from the gateway or management machines. Traffic going through the gateway for inspection is not affected by the vulnerabilities and won’t be affected by disabling SACK. There is a mitigation to the 2 relevant CVEs which is to disable SACK.
Notified: June 19, 2019 Updated: June 20, 2019
Statement Date: June 19, 2019
Affected
These vulnerabilities were addressed in CoreOS Container Linux alpha 2163.2.1, beta 2135.3.1, and stable 2079.6.0. Previous versions of CoreOS Container Linux are affected.
Notified: June 19, 2019 Updated: June 20, 2019
Statement Date: June 20, 2019
Affected
Advisory at
https://www.debian.org/security/2019/dsa-4465
Updated: June 20, 2019
Affected
Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.
Notified: June 19, 2019 Updated: June 20, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 20, 2019
Statement Date: June 19, 2019
Affected
Updates issued on Monday, June 17, 2019
Notified: June 19, 2019 Updated: June 24, 2019
Statement Date: June 21, 2019
Affected
Synology has confirmed our products are affected, and we have published a security advisory for your reference:
<https://www.synology.com/security/advisory/Synology_SA_19_28>
CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM).
Notified: June 19, 2019 Updated: June 20, 2019
Statement Date: June 19, 2019
Affected
`We have a KnowledgeBase page here:
[
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic`](<https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic>)`
We released updates for CVE-2019-11477 and CVE-2019-11478. The corresponding Ubuntu Security Notices can be found here:
[
https://usn.ubuntu.com/4017-1/`](<https://usn.ubuntu.com/4017-1/>)
https://usn.ubuntu.com/4017-2/
A set of future Ubuntu kernel updates will address the sysctl-based mitigation for CVE-2019-11479.
.
Notified: June 19, 2019 Updated: June 27, 2019
Statement Date: June 27, 2019
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2019 Updated: June 19, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 22 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.3 | AV:N/AC:L/Au:–/C:C/I:C/A:C |
Temporal | 5 | E:ND/RL:W/RC:C |
Environmental | 5.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Jonathan Looney (Netflix Information Security)
This document was written by Laurie Tyzenhaus.
CVE IDs: | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-5599 |
---|---|
Date Public: | 2019-06-17 Date First Published: |
access.redhat.com/security/vulnerabilities/tcpsack
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599
github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.974 High
EPSS
Percentile
99.9%