Allele Security Alert
ASA-2019-00367
Identifier(s)
ASA-2019-00367, CVE-2019-11479, NFLX-2019-001
Title
Excessive resource consumption for TCP connections with low MSS allows remote denial of service
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
All Linux kernel versions
Fixed version(s)
Linux kernel stable version 4.4.182
Linux kernel stable version 4.9.182
Linux kernel stable version 4.14.127
Linux kernel stable version 4.19.52
Linux kernel stable version 5.1.11
Linux kernel with the following commits applied:
tcp: add tcp_min_snd_mss sysctl
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
Proof of concept
Unknown
Description
An excessive resource consumption flaw was found in the way the Linux kernel’s networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel’s resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
Technical details
Some TCP peers announce a very small MSS option in their SYN and/or SYN/ACK messages.
This forces the stack to send packets with a very high network/cpu overhead.
Linux has enforced a minimal value of 48. Since this value includes the size of TCP options, and that the options can consume up to 40 bytes, this means that each segment can include only 8 bytes of payload.
In some cases, it can be useful to increase the minimal value to a saner value.
We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility reasons.
Note that TCP_MAXSEG socket option enforces a minimal value of (TCP_MIN_MSS). David Miller increased this minimal value in commit c39508d6f118 (“tcp: Make TCP_MAXSEG minimum more correct.”) from 64 to 88.
We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
If mtu probing is enabled tcp_mtu_probing() could very well end up with a too small MSS.
Use the new sysctl tcp_min_snd_mss to make sure MSS search is performed in an acceptable range.
CVE-2019-11479 — tcp mss hardcoded to 48
Workaround
Block connections with a low MSS using filters. Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).
Credits
Jonathan Looney (Netflix Information Security)
Reference(s)
Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Linux and FreeBSD Kernel: Multiple TCP-based remote denial of
service issues
https://www.openwall.com/lists/oss-security/2019/06/17/5
Bug 1719129 (CVE-2019-11479) – CVE-2019-11479 kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1719129
SACK Panic and Other TCP Denial of Service Issues
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
https://blog.mikrotik.com/security/cve-2019-11477-cve-2019-11478-cve-2019-11479.html
tcp: add tcp_min_snd_mss sysctl
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
Advisory: TCP SACK PANIC kernel vulnerability
https://community.sophos.com/kb/en-us/134237
CVE-2019-11479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
CVE-2019-11479
https://nvd.nist.gov/vuln/detail/CVE-2019-11479
CVE-2019-11479 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-11479
CVE-2019-11479 | SUSE
https://www.suse.com/security/cve/CVE-2019-11479
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11479.html
CVE-2019-11479
https://security.archlinux.org/CVE-2019-11479
CVE-2019-11479
https://security-tracker.debian.org/tracker/CVE-2019-11479
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 6, 2019