ASA-2019-00366 – Linux kernel: Excessive resource consumption while processing SACK blocks allows remote denial of service


Allele Security Alert

ASA-2019-00366

Identifier(s)

ASA-2019-00366, CVE-2019-11478, NFLX-2019-001

Title

Excessive resource consumption while processing SACK blocks allows remote denial of service

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

All Linux kernel versions

Fixed version(s)

Linux kernel stable version 4.4.182
Linux kernel stable version 4.9.182
Linux kernel stable version 4.14.127
Linux kernel stable version 4.19.52
Linux kernel stable version 5.1.11

Linux kernel with the following commit applied:

tcp: tcp_fragment() should apply sane memory limits
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e

Proof of concept

Unknown

Description

An excessive resource consumption flaw was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.

Technical details

Jonathan Looney reported that a malicious peer can force a sender to fragment its retransmit queue into tiny skbs, inflating memory usage and/or overflow 32bit counters.

TCP allows an application to queue up to sk_sndbuf bytes, so we need to give some allowance for non malicious splitting of retransmit queue.

A new SNMP counter is added to monitor how many times TCP did not allow to split an skb if the allowance was exceeded.

Note that this counter might increase in the case applications use SO_SNDBUF socket option to lower sk_sndbuf.

CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the socket is already using more than half the allowed space

Workaround

1 – Block connections with a low MSS using filters. Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).

2 – Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).

Credits

Jonathan Looney (Netflix Information Security)

Reference(s)

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of
service issues
https://www.openwall.com/lists/oss-security/2019/06/17/5

Bug 1719128 (CVE-2019-11478) – CVE-2019-11478 Kernel: tcp: excessive resource consumption while processing SACK blocks allows remote denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1719128

SACK Panic and Other TCP Denial of Service Issues
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
https://blog.mikrotik.com/security/cve-2019-11477-cve-2019-11478-cve-2019-11479.html

tcp: tcp_fragment() should apply sane memory limits
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e

ASA-2019-00407 – VMware: Selective Acknowledgement (SACK) Excess Resource Usage
https://allelesecurity.com/asa-2019-00407/

Advisory: TCP SACK PANIC kernel vulnerability
https://community.sophos.com/kb/en-us/134237

CVE-2019-11478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478

CVE-2019-11478
https://nvd.nist.gov/vuln/detail/CVE-2019-11478

CVE-2019-11478 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-11478

CVE-2019-11478 | SUSE
https://www.suse.com/security/cve/CVE-2019-11478

CVE-2019-11478 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11478.html

CVE-2019-11478
https://security-tracker.debian.org/tracker/CVE-2019-11478

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.