Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190620175621.GB2646@lindsey>
Date: Thu, 20 Jun 2019 12:56:22 -0500
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Security Report <security-report@...smail.netflix.com>,
	security-report@...flix.com,
	Arturo Borrero González <arturo@...filter.org>
Subject: Re: Linux and FreeBSD Kernel: Multiple TCP-based
 remote denial of service issues

On 2019-06-17 10:33:38, Security Report wrote:
> #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
> 
> Description: A sequence of SACKs may be crafted such that one can trigger 
> an integer overflow, leading to a kernel panic.
> 
> Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, 
> versions of the Linux kernel up to, and including, 4.14 require a second 
> patch (“PATCH_net_1a.patch”).
> 
> Workaround #1: Block connections with a low MSS using one of the attached 
> filters. (The values in the filters are examples. You can apply a higher or 
> lower limit, as appropriate for your environment.) Note that these filters 
> may break legitimate connections which rely on a low MSS. Also, note that 
> this mitigation is only effective if TCP probing is disabled (that is, the 
> net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
> default value for that sysctl).

Netflix graciously provided this example iptables rule as a workaround:

 # iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

I have received a few questions about an equivalent nftables rule. I
didn't have one but Arturo Borrero González has provided this equivalent
rule:

 # nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

I did a simple test of sending SYN packets with MSS values of 500 and
lower to a server that had the nftables rule loaded. The packets were
dropped by the server with no SYN-ACK response. Bumping the MSS value up
to 501 resulted in the SYN packet not being dropped and a proper SYN-ACK
response.

Consider adding the nftables rule as an alternative in any written
advisories on SACK Panic.

Thanks for the nftables rule, Arturo!

Tyler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.