ArchLinux: 201906-12: linux-hardened: denial of service

    Date18 Jun 2019
    CategoryArchLinux
    406
    Posted ByLinuxSecurity Advisories
    The package linux-hardened before version 5.1.11.a-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-201906-12
    ==========================================
    
    Severity: High
    Date    : 2019-06-17
    CVE-ID  : CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
    Package : linux-hardened
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-986
    
    Summary
    =======
    
    The package linux-hardened before version 5.1.11.a-1 is vulnerable to
    denial of service.
    
    Resolution
    ==========
    
    Upgrade to 5.1.11.a-1.
    
    # pacman -Syu "linux-hardened>=5.1.11.a-1"
    
    The problems have been fixed upstream in version 5.1.11.a.
    
    Workaround
    ==========
    
    - CVE-2019-11477 and CVE-2019-11478
    
      $ sudo sysctl -w net.ipv4.tcp_sack=0
    
    The mitigation described below for CVE-2019-11479 is also sufficient
    for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is
    not viable.
    
    - CVE-2019-11479
    
      $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
    
    The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when
    using the iptables rules shown above.
    
    Description
    ===========
    
    - CVE-2019-11477 (denial of service)
    
    An integer overflow has been discovered in the Linux kernel when
    handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may
    be crafted such that one can trigger a kernel panic. A remote attacker
    could use this to cause a denial of service (system crash).
    
    - CVE-2019-11478 (denial of service)
    
    An excessive resource consumption flaw was found in the way the Linux
    kernel's networking subsystem processed TCP Selective Acknowledgment
    (SACK) segments. While processing SACK segments, the Linux kernel's
    socket buffer (SKB) data structure becomes fragmented, which leads to
    increased resource utilization to traverse and process these fragments
    as further SACK segments are received on the same TCP connection. A
    remote attacker could use this flaw to cause a denial of service (DoS)
    by sending a crafted sequence of SACK segments on a TCP connection.
    
    - CVE-2019-11479 (denial of service)
    
    An excessive resource consumption flaw was found in the way the Linux
    kernel's networking subsystem processed TCP segments. If the Maximum
    Segment Size (MSS) of a TCP connection was set to low values, such as
    48 bytes, it can leave as little as 8 bytes for the user data, which
    significantly increases the Linux kernel's resource (CPU, Memory, and
    Bandwidth) utilization. A remote attacker could use this flaw to cause
    a denial of service (DoS) by repeatedly sending network traffic on a
    TCP connection with low TCP MSS.
    
    Impact
    ======
    
    A remote attacker is able to crash the system by sending specially
    crafted TCP packets.
    
    References
    ==========
    
    https://www.openwall.com/lists/oss-security/2019/06/17/5
    https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
    https://security.archlinux.org/CVE-2019-11477
    https://security.archlinux.org/CVE-2019-11478
    https://security.archlinux.org/CVE-2019-11479
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.