CERT/CC Vulnerability Note VU#905115

Overview

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels.

Description

CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted selective acknowledgements (SACK) may trigger an integer overflow, leading to a denial of service or possible kernel failure (panic).

CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted selective acknowledgements (SACK) may cause a fragmented TCP queue, with a potential result in slowness or denial of service.

CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large, thus consuming CPU or network resources, resulting in slowness or denial of service.

CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The default maximum segment size (MSS) is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface, resulting in slowness or denial of service.

For detailed descriptions of these vulnerabilities, see: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Impact

A remote attacker could cause a kernel crash (CVE-2019-11477) or excessive resource consumption leading to a delay or denial of service.

Solution

Apply Patches
Several vendors have already issued patches and made efforts to contact their user base. See the vendor list below for details from specific vendors. If your vendor is not listed, please check their web pages or contact them directly.

Several vendors have issued workarounds. See the vendor list below for details from specific vendors.

Vendor Information

905115

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Arch Linux Affected

Arista Networks, Inc. Affected

Check Point Software Technologies Affected

CoreOS Affected

Debian GNU/Linux Affected

FreeBSD Project Affected

Red Hat, Inc. Affected

SUSE Linux Affected

Synology Affected

Ubuntu Affected

Microsoft Not Affected

Alpine Linux Unknown

Aspera Inc. Unknown

Fedora Project Unknown

Geexbox Unknown

Gentoo Linux Unknown

Marconi, Inc. Unknown

Micro Focus Unknown

Openwall GNU/*/Linux Unknown

Slackware Linux Inc. Unknown

Tizen Unknown

Turbolinux Unknown

View all 22 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	5.3	AV:N/AC:L/Au:--/C:C/I:C/A:C
Temporal	5	E:ND/RL:W/RC:C
Environmental	5.0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Jonathan Looney (Netflix Information Security)

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs:	CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-5599
Date Public:	2019-06-17
Date First Published:	2019-06-20
Date Last Updated:	2019-07-08 14:21 UTC
Document Revision:	18

Software Engineering Institute

CERT Coordination Center

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

Vulnerability Note VU#905115