Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic ,” allows a remotely-triggered kernel panic on recent Linux kernels.
Currently known workarounds:
sysctl -w net.ipv4.tcp_sack=0". And to make it permanent across reboots, "echo "net.ipv4.tcp_sack=0" > /etc/sysctl.d/90-SACK_Panic.conf".echo "iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP" >> /etc/firewall.user"....except that it doesn't fix CVE-2019-11479 on Linux.
I am editing my post right now, adding instructions for that vulnerability, too; thanks for pointing it out.
kernel source been patched yesterday https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.127
does not work since missing -w -> sysctl -w net.ipv4.tcp_sack=0
From own experience, a node with kernel 4.14.123, the above has stopped the reboots caused by the attack - seen this been exploited for the past 2 weeks
Well, it seemed to work here, but it makes sense; I fixed my post, thanks!
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP addresses CVE-2019-11479 according to https://www.openwall.com/lists/oss-security/2019/06/17/5.
That comes at additional cpu cost. Are you implying that the patched source kernel is not sufficient and requires additional netfilter intervention?
No I am implying that the statement "[@eduperez posted workarounds] don't fix CVE-2019-11479 on Linux" contradicts https://www.openwall.com/lists/oss-security/2019/06/17/5 which suggests the netfilter rule (among other filter options) as temporary workaround for issue #4 (CVE-2019-11479).
I see, thanks for the clarification. So were waiting then for the patched kernel to arrive
isn't the default on wan port to block all incoming. Is this not sufficient?
Some reports indicate the only devices that accept incoming TCP connections are affected. However, I am not sure that devices routing TCP connections on behalf of others are not affected.
I do not pretend to be an expert on the subject, I'm just reporting here the info I have gathered.
It is not unfortunately, you would have to look into the technicalities of the bug or the patch.
The kernels containing the fixes for these CVE's have been pushed to master, 19.07 and 18.06.
17.01 will follow within 1 .. 2 days normally.
edit: @hauke pushed to 17.01 already.
For FreeBSD users, from the linked Netflix article
CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
Workaround #1: Apply the patch split_limit.patch and set the
net.inet.tcp.rack.split_limitsysctl to a reasonable value to limit the size of the SACK table.Workaround #2: Temporarily disable the RACK TCP stack.
From https://lists.freebsd.org/pipermail/svn-src-all/2018-June/165204.html
To build this into your kernel you will need to enable in your
kernel:
makeoptions WITH_EXTRA_TCP_STACKS=1
options TCPHPTS
Sponsored by: Netflix Inc.
Thanks for this! Had to install iptables-mod-ipopt to be able to run the iptables line on 18.02.
I am very sorry then. Didn't notice that the post was edited earlier.
No worries
