search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

Vulnerability Note VU#905115

Original Release Date: 2019-06-20 | Last Revised: 2019-07-08

Overview

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels.

Description

CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted selective acknowledgements (SACK) may trigger an integer overflow, leading to a denial of service or possible kernel failure (panic).

CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted selective acknowledgements (SACK) may cause a fragmented TCP queue, with a potential result in slowness or denial of service.

CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large, thus consuming CPU or network resources, resulting in slowness or denial of service.

CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The default maximum segment size (MSS) is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface, resulting in slowness or denial of service.

For detailed descriptions of these vulnerabilities, see: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Impact

A remote attacker could cause a kernel crash (CVE-2019-11477) or excessive resource consumption leading to a delay or denial of service.

Solution

Apply Patches
Several vendors have already issued patches and made efforts to contact their user base. See the vendor list below for details from specific vendors. If your vendor is not listed, please check their web pages or contact them directly.

Several vendors have issued workarounds. See the vendor list below for details from specific vendors.

Vendor Information

905115
 
Affected   Unknown   Unaffected

Arch Linux

Notified:  June 19, 2019 Updated:  June 20, 2019

Statement Date:   June 20, 2019

Status

  Affected

Vendor Statement

You can find information about which packages (variants) a CVE affected
and if (plus when) a package was fixed on our security tracker:

https://security.archlinux.org/CVE-2019-11477
https://security.archlinux.org/CVE-2019-11478
https://security.archlinux.org/CVE-2019-11479

We have also published advisories to our distro specific mailinglists
and on the security tracker which you will find below. The advisories
contain workarounds that we recommended.

Vendor Information

To summarize the fixed versions there:

kernel: linux
affected: 5.1.10.arch1-1
fixed: 5.1.11.arch1-1
advisory:
https://security.archlinux.org/ASA-201906-13

kernel: linux-lts
affected: 4.19.51-1
fixed: 4.19.52-1
advisory:
https://security.archlinux.org/ASA-201906-14

kernel: linux-hardened
affected: 4.19.52-1
fixed: 5.1.11.a-1
advisory:
https://security.archlinux.org/ASA-201906-12

kernel: linux-zen
affected: 5.1.10.zen1-1
fixed: 5.1.11.zen1-1
advisory:
https://security.archlinux.org/ASA-201906-15

Vendor References

Arista Networks, Inc.

Notified:  June 19, 2019 Updated:  July 08, 2019

Statement Date:   July 05, 2019

Status

  Affected

Vendor Statement

Affected..

Vendor Information

https://www.arista.com/en/support/advisories-notices/security-advisories/8066-security-advisory-41 which provides tracking, mitigation, and long term fix information.

Vendor References

Check Point Software Technologies

Updated:  June 27, 2019

Statement Date:   June 25, 2019

Status

  Affected

Vendor Statement

Check Point is vulnerable to CVE-2019-11478 and in some releases also to CVE-2019-11477. Check Point software is not vulnerable to CVE-2019-11479 or the FreeBSD

    CVEs.

Vendor Information

The vulnerability to the 2 CVEs is only relevant to traffic directed to or from the gateway or management machines. Traffic going through the gateway for inspection is not affected by the vulnerabilities and won't be affected by disabling SACK. There is a mitigation to the 2 relevant CVEs which is to disable SACK.

Vendor References

CoreOS

Notified:  June 19, 2019 Updated:  June 20, 2019

Statement Date:   June 19, 2019

Status

  Affected

Vendor Statement

These vulnerabilities were addressed in CoreOS Container Linux alpha 2163.2.1, beta 2135.3.1, and stable 2079.6.0.  Previous versions of CoreOS Container Linux are affected.

Vendor References

Debian GNU/Linux

Notified:  June 19, 2019 Updated:  June 20, 2019

Statement Date:   June 20, 2019

Status

  Affected

Vendor Statement

Advisory at https://www.debian.org/security/2019/dsa-4465

Vendor References

FreeBSD Project

Updated:  June 20, 2019

Status

  Affected

Vendor Statement

Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

Vendor References

Red Hat, Inc.

Notified:  June 19, 2019 Updated:  June 20, 2019

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SUSE Linux

Notified:  June 19, 2019 Updated:  June 20, 2019

Statement Date:   June 19, 2019

Status

  Affected

Vendor Statement

Updates issued on Monday, June 17, 2019

Vendor References

Synology

Notified:  June 19, 2019 Updated:  June 24, 2019

Statement Date:   June 21, 2019

Status

  Affected

Vendor Statement

Synology has confirmed our products are affected, and we have published a security advisory for your reference:
https://www.synology.com/security/advisory/Synology_SA_19_28

Vendor Information

CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM).

Vendor References

Ubuntu

Notified:  June 19, 2019 Updated:  June 20, 2019

Statement Date:   June 19, 2019

Status

  Affected

Vendor Statement

We have a KnowledgeBase page here:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

We released updates for CVE-2019-11477 and CVE-2019-11478. The corresponding Ubuntu Security Notices can be found here:

https://usn.ubuntu.com/4017-1/
https://usn.ubuntu.com/4017-2/

Vendor Information

A set of future Ubuntu kernel updates will address the sysctl-based mitigation for CVE-2019-11479..

Vendor References

Microsoft

Notified:  June 19, 2019 Updated:  June 27, 2019

Statement Date:   June 27, 2019

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alpine Linux

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aspera Inc.

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Marconi, Inc.

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tizen

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  June 19, 2019 Updated:  June 19, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 22 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 5.3 AV:N/AC:L/Au:--/C:C/I:C/A:C
Temporal 5 E:ND/RL:W/RC:C
Environmental 5.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Jonathan Looney(Netflix Information Security)

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-5599
Date Public: 2019-06-17
Date First Published: 2019-06-20
Date Last Updated: 2019-07-08 14:21 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.