Lucene search

K
myhack58佚名MYHACK58:62201994611
HistoryJun 19, 2019 - 12:00 a.m.

CVE-2019-11477: Linux kernel TCP SACK mechanism remote Dos early warning analysis-vulnerability warning-the black bar safety net

2019-06-1900:00:00
佚名
www.myhack58.com
640

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.974 High

EPSS

Percentile

99.9%

0x00 vulnerability description
2019 6 May 18, RedHat official website released a report: security researchers in the Linux kernel handles the TCP SACK data packet module found three vulnerabilities, the CVE number for CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479, wherein the CVE-2019-11477 vulnerability can reduce the system operating efficiency, and may be sent to remote attacker for denial of service attacks, the extent of the impact is serious.
360CERT it is determined that the vulnerability affects a wide, serious harm, the recommendations of the majority of users timely updated.
Vulnerability details
SACK(Selective ACK)is a TCP option, it makes the recipient tell the sender which packet segment is lost, which packets the segment retransmission, and which message segments have been received in advance and other information. Based on this information, TCP can only retransmit what really lost packet segment. Note that only received out of sequence packet only when the might send SACK, the TCP ACK or the establishment in the cumulative acknowledgment based on.
The Linux SKB can accommodate up to 17 fragment:
linux/include/linux/skbuff. h
define MAX_SKB_FRAGS (65536/PAGE_SIZE + 1) => 17
Each segment in the x86(PowerPC on of 64KB of data can accommodate a maximum of 32KB, when the data packet will be sent when it is placed in the send queue, which detailed information stored in the control buffer structure:
linux/include/linux/skbuff. h
struct tcp_skb_cb {
__u32 seq; /* Starting sequence number /
__u32 end_seq; /
SEQ + FIN + SYN + datalen /
__u32 tcp_tw_isn;
struct {
u16 tcp_gso_segs;
u16 tcp_gso_size;
};
__u8 tcp_flags; /2
TCP header flags. (tcp[13]) */

}
tcp_gso_segs for recording the number of data packets, the type is u16, the record up to 65526 one. But the SACK mechanism allows TCP retransmission to merge multiple SKB queue, which fills 17 fragments to maximum capacity, 17 321024 /8 = 69632, causing tcp_gso_segs an integer overflow, which triggers a BUG_ON()call, causing the kernel to crash.
static bool tcp_shifted_skb (struct sock *sk, …, unsigned int pcount, …)
{

tcp_skb_pcount_add(prev, pcount);
BUG_ON(tcp_skb_pcount(skb) SACK panic
tcp_skb_pcount_add(skb, -pcount);

}
An attacker can send a series of particular SACK packet, trigger the kernel module integer overflow vulnerability, leading to a remote denial of service attack.

0x01 impact version
Impact of the Linux kernel 2. 6. 29 and above versions

0x02 repair program
(1)timely update patch
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_1_4.patch
The Linux kernel version>=4.14 need to hit the second patch
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_1a.patch
(2)to disable SACK processing
echo 0 > /proc/sys/net/ipv4/tcp_sack
(3)the use of filters to block the attack
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/README.md
This alleviates the need to disable TCP to detect when a valid, i.e. in the/etc/sysctl. conf file in the net. ipv4. tcp_mtu_probingsysctl set to 0
(4)RedHat users can use the following script to check whether the system is flawed
https://access.redhat.com/sites/default/files/cve-2019-11477-2019-06-17-1629.sh

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.974 High

EPSS

Percentile

99.9%