K26618426 : Linux SACK Slowness vulnerability CVE-2019-11478

Security Advisory Description

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. (CVE-2019-11478)

Impact

BIG-IP

The BIG-IP system has no exposure to this vulnerability within the Traffic Management Microkernel (TMM), including virtual servers and virtual IP addresses (also known as the data plane). However, the BIG-IP system is vulnerable via the self IP addresses and the management interface (also known as the control plane). A remote attacker can exploit this vulnerability to cause a denial of service (DoS) by sending a sequence of specially crafted TCP packets.

Backend systems accessed via a FastL4 virtual server

By its nature as a full-proxy, the BIG-IP system protects backend systems accessed through a standard virtual server, as any attacker’s TCP connection would be terminated at the BIG-IP system. However, backend systems accessed via a FastL4 virtual server (a virtual server configured with a FastL4 profile) are exposed by default as the attack traffic is forwarded as-is to the backend system.

Traffix SDC

A remote attacker can exploit this vulnerability to cause a denial of service by sending a sequence of specially crafted TCP SACK packets.