Arch Linux Security Advisory ASA-201906-14
=========================================
Severity: High
Date    : 2019-06-18
CVE-ID  : CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
Package : linux-lts
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-984

Summary
======
The package linux-lts before version 4.19.52-1 is vulnerable to denial
of service.

Resolution
=========
Upgrade to 4.19.52-1.

# pacman -Syu "linux-lts>=4.19.52-1"

The problems have been fixed upstream in version 4.19.52.

Workaround
=========
- CVE-2019-11477 and CVE-2019-11478

  $ sudo sysctl -w net.ipv4.tcp_sack=0

The mitigation described below for CVE-2019-11479 is also sufficient
for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is
not viable.

- CVE-2019-11479

  $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when
using the iptables rules shown above.

Description
==========
- CVE-2019-11477 (denial of service)

An integer overflow has been discovered in the Linux kernel when
handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may
be crafted such that one can trigger a kernel panic. A remote attacker
could use this to cause a denial of service (system crash).

- CVE-2019-11478 (denial of service)

An excessive resource consumption flaw was found in the way the Linux
kernel's networking subsystem processed TCP Selective Acknowledgment
(SACK) segments. While processing SACK segments, the Linux kernel's
socket buffer (SKB) data structure becomes fragmented, which leads to
increased resource utilization to traverse and process these fragments
as further SACK segments are received on the same TCP connection. A
remote attacker could use this flaw to cause a denial of service (DoS)
by sending a crafted sequence of SACK segments on a TCP connection.

- CVE-2019-11479 (denial of service)

An excessive resource consumption flaw was found in the way the Linux
kernel's networking subsystem processed TCP segments. If the Maximum
Segment Size (MSS) of a TCP connection was set to low values, such as
48 bytes, it can leave as little as 8 bytes for the user data, which
significantly increases the Linux kernel's resource (CPU, Memory, and
Bandwidth) utilization. A remote attacker could use this flaw to cause
a denial of service (DoS) by repeatedly sending network traffic on a
TCP connection with low TCP MSS.

Impact
=====
A remote attacker is able to crash the system by sending specially
crafted TCP packets.

References
=========
https://www.openwall.com/lists/oss-security/2019/06/17/5
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
https://security.archlinux.org/CVE-2019-11477
https://security.archlinux.org/CVE-2019-11478
https://security.archlinux.org/CVE-2019-11479

ArchLinux: 201906-14: linux-lts: denial of service

June 18, 2019

Summary

- CVE-2019-11477 (denial of service) An integer overflow has been discovered in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may be crafted such that one can trigger a kernel panic. A remote attacker could use this to cause a denial of service (system crash).
- CVE-2019-11478 (denial of service)
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
- CVE-2019-11479 (denial of service)
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.

Resolution

Upgrade to 4.19.52-1. # pacman -Syu "linux-lts>=4.19.52-1"
The problems have been fixed upstream in version 4.19.52.

References

https://www.openwall.com/lists/oss-security/2019/06/17/5 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6 https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479

Severity
Package : linux-lts
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-984

Workaround

- CVE-2019-11477 and CVE-2019-11478 $ sudo sysctl -w net.ipv4.tcp_sack=0The mitigation described below for CVE-2019-11479 is also sufficientfor CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support isnot viable.- CVE-2019-11479 $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROPThe net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) whenusing the iptables rules shown above.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved