Security Vulnerability: TCP SACK Denial of Service attacks aka "SACK Panic" - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

This document (7023928) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Researchers from Netflix have found 3 denial of service attacks against the Linux TCP stack, where one can be used by remote attackers to panic / crash the system, and 2 can be used to cause high resource usage.

This is possible as soon as remote attackers can open TCP connections to a host, regardless of the actual underlying service.

Three separate issues were identified:

1. CVE-2019-11477: SACK Panic  

A sequence of SACKs may be crafted by a remote attacker such that one can trigger an integer overflow, leading to a kernel panic.

This would crash the whole machine.

2. CVE-2019-11478: SACK Slowness or Excess Resource Usage

It is possible to send a crafted sequence of SACKs which will fragment the TCP re-transmission queue. A remote attacker may be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

This can result in slow downs.

3. CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values 

It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. A remote attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

This can result in slow downs.

All currently maintained SUSE Linux products are affected by all 3 issues.

Resolution

SUSE has released Linux kernel updates to address these vulnerabilities for all supported distributions.

1. Apply the updated packages.
2. Update /etc/sysctl.conf with:
net.ipv4.tcp_min_snd_mss = 400

Workaround :

When it is not possible to immediately apply the kernel updates that resolve these issues, and after careful consideration, the following workarounds can possibly be applied :

1. SACK Panic

There are 2 workarounds possible :

Workaround #1: 
Block connections with a low MSS using e.g. iptables.
(Important note :  this may break legitimate connections which rely on a low MSS.)

Use the iptables module tcpmss to set a range of TCP MSS values to reject.

An attacker using a small (in this example < 500) MSS will drop the TCP SYN packets.
This will block connection establishment and so block the attack.

iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP


Workaround #2: 
Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).
(Important note : This will cause a slow down in the processing of TCP connections.)

Temporary (until reboot):

echo 0 > /proc/sys/net/ipv4/tcp_sack 

or for persistence during machine restarts add the line below to /etc/sysctl.conf:

net.ipv4.tcp_sack = 0

2. SACK Slowness 

Workaround #1: 
Block connections with a low MSS using one of the filters listed under "1. SACK Panic" above.
(Important note:  this may break legitimate connections which rely on a low MSS.)

Workaround #2: 
Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0), same as listed under "1. SACK Panic" above.
(Important note : This will cause a slow down in the processing of TCP connections.)

3. Excess Resource Consumption Due to Low MSS Values

Workaround: Block connections with a low MSS using one of the below filters, as listed under "1. SACK Panic" above.
(Important note :  this may break legitimate connections which rely on a low MSS.)

Cause

Additional Information

TCP MSS stands for TCP Maximum Segment Size. 

TCP SACK stands for TCP Selective Acknowledgement. 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023928
  • Creation Date: 11-Jun-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center