Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <84db7fe5-446a-4445-96db-8445fd43395c@saasmail.netflix.com>
Date: Mon, 17 Jun 2019 10:33:38 -0700 (PDT)
From: Security Report <security-report@...smail.netflix.com>
To: Security Report <security-report@...smail.netflix.com>
Cc: security-report@...flix.com, oss-security@...ts.openwall.com
Subject: Linux and FreeBSD Kernel: Multiple TCP-based remote denial of
 service issues

Netflix has identified several TCP networking vulnerabilities in FreeBSD 
and Linux kernels.

The vulnerabilities specifically relate to the minimum segment size (MSS) 
and TCP Selective Acknowledgement (SACK) capabilities. The most serious, 
dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent 
Linux kernels.

There are patches that address most of these vulnerabilities. If patches 
can not be applied, certain mitigations will be effective. We recommend 
that affected parties enact one of those described below, based on their 
environment.

#1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29)

Description: A sequence of SACKs may be crafted such that one can trigger 
an integer overflow, leading to a kernel panic.

Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, 
versions of the Linux kernel up to, and including, 4.14 require a second 
patch (“PATCH_net_1a.patch”).

Workaround #1: Block connections with a low MSS using one of the attached 
filters. (The values in the filters are examples. You can apply a higher or 
lower limit, as appropriate for your environment.) Note that these filters 
may break legitimate connections which rely on a low MSS. Also, note that 
this mitigation is only effective if TCP probing is disabled (that is, the 
net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
default value for that sysctl).

Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 
0).

(Note that either workaround should be sufficient on its own. It is not 
necessary to apply both workarounds.)


#2: CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage 
(all Linux versions)

Description: It is possible to send a crafted sequence of SACKs which will 
fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an 
attacker may be able to further exploit the fragmented queue to cause an 
expensive linked-list walk for subsequent SACKs received for that same TCP 
connection.

Fix: Apply the attached patch (“PATCH_net_2_4.patch”)

Workaround #1: Block connections with a low MSS using one of the attached 
filters. (The values in the filters are examples. You can apply a higher or 
lower limit, as appropriate for your environment.) Note that these filters 
may break legitimate connections which rely on a low MSS. Also, note that 
this mitigation is only effective if TCP probing is disabled (that is, the 
net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
default value for that sysctl).

Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 
0).

(Note that either workaround should be sufficient on its own. It is not 
necessary to apply both workarounds.)


#3: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Description: It is possible to send a crafted sequence of SACKs which will 
fragment the RACK send map. An attacker may be able to further exploit the 
fragmented send map to cause an expensive linked-list walk for subsequent 
SACKs received for that same TCP connection.

Workaround #1: Apply the attached patch (“split_limit.patch”) and set the 
net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the 
size of the SACK table.

Workaround #2: Temporarily disable the RACK TCP stack.

(Note that either workaround should be sufficient on its own. It is not 
necessary to apply both workarounds.)


#4: CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all 
Linux versions)

Description: An attacker can force the Linux kernel to segment its 
responses into multiple TCP segments, each of which contains only 8 bytes 
of data. This drastically increases the bandwidth required to deliver the 
same amount of data. Further, it consumes additional resources (CPU and NIC 
processing power). This attack requires continued effort from the attacker 
and the impacts will end shortly after the attacker stops sending traffic.

Fix: Two attached patches (“PATCH_net_3_4.patch” and “PATCH_net_4_4.patch”) 
add a sysctl which enforces a minimum MSS, set by the 
net.ipv4.tcp_min_snd_mss sysctl. This lets an administrator enforce a 
minimum MSS appropriate for their applications.

Workaround: Block connections with a low MSS using one of the attached 
filters. (The values in the filters are examples. You can apply a higher or 
lower limit, as appropriate for your environment.) Note that these filters 
may break legitimate connections which rely on a low MSS. Also, note that 
this mitigation is only effective if TCP probing is disabled (that is, the 
net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the 
default value for that sysctl).


Note: Good system and application coding and configuration practices 
(limiting write buffers to the necessary level, monitoring connection 
memory consumption via SO_MEMINFO, and aggressively closing misbehaving 
connections) can help to limit the impact of attacks against these kinds of 
vulnerabilities.

An advisory has been published 
at https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Acknowledgments:
Originally reported by Jonathan Looney.
We thank Eric Dumazet for providing Linux fixes and support.
We thank Bruce Curtis for providing the Linux filters.
We thank Jonathan Lemon and Alexey Kodanev for helping to improve the Linux 
patches.
We gratefully acknowledge the assistance of Tyler Hicks in testing fixes, 
refining the information about vulnerable versions, and providing 
assistance during the disclosure process.

Regards,
Netflix Information Security

Content of type "text/html" skipped

View attachment "PATCH_net_1_4.patch" of type "text/x-diff" (5885 bytes)

View attachment "PATCH_net_1a.patch" of type "text/x-diff" (2192 bytes)

Download attachment "block-low-mss.tgz" of type "application/x-gtar" (1682 bytes)

View attachment "PATCH_net_2_4.patch" of type "text/x-diff" (2739 bytes)

View attachment "split_limit.patch" of type "text/x-diff" (6530 bytes)

View attachment "PATCH_net_3_4.patch" of type "text/x-diff" (5118 bytes)

View attachment "PATCH_net_4_4.patch" of type "text/x-diff" (1374 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.