ASA-2019-00367 – Linux kernel: Excessive resource consumption for TCP connections with low MSS allows remote denial of service


Allele Security Alert

ASA-2019-00367

Identifier(s)

ASA-2019-00367, CVE-2019-11479, NFLX-2019-001

Title

Excessive resource consumption for TCP connections with low MSS allows remote denial of service

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

All Linux kernel versions

Fixed version(s)

Linux kernel stable version 4.4.182
Linux kernel stable version 4.9.182
Linux kernel stable version 4.14.127
Linux kernel stable version 4.19.52
Linux kernel stable version 5.1.11

Linux kernel with the following commits applied:

tcp: add tcp_min_snd_mss sysctl
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6

Proof of concept

Unknown

Description

An excessive resource consumption flaw was found in the way the Linux kernel’s networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel’s resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.

Technical details

Some TCP peers announce a very small MSS option in their SYN and/or SYN/ACK messages.

This forces the stack to send packets with a very high network/cpu overhead.

Linux has enforced a minimal value of 48. Since this value includes the size of TCP options, and that the options can consume up to 40 bytes, this means that each segment can include only 8 bytes of payload.

In some cases, it can be useful to increase the minimal value to a saner value.

We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility reasons.

Note that TCP_MAXSEG socket option enforces a minimal value of (TCP_MIN_MSS). David Miller increased this minimal value in commit c39508d6f118 (“tcp: Make TCP_MAXSEG minimum more correct.”) from 64 to 88.

We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.

If mtu probing is enabled tcp_mtu_probing() could very well end up with a too small MSS.

Use the new sysctl tcp_min_snd_mss to make sure MSS search is performed in an acceptable range.

CVE-2019-11479 — tcp mss hardcoded to 48

Workaround

Block connections with a low MSS using filters. Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).

Credits

Jonathan Looney (Netflix Information Security)

Reference(s)

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of
service issues
https://www.openwall.com/lists/oss-security/2019/06/17/5

Bug 1719129 (CVE-2019-11479) – CVE-2019-11479 kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1719129

SACK Panic and Other TCP Denial of Service Issues
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
https://blog.mikrotik.com/security/cve-2019-11477-cve-2019-11478-cve-2019-11479.html

tcp: add tcp_min_snd_mss sysctl
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6

Advisory: TCP SACK PANIC kernel vulnerability
https://community.sophos.com/kb/en-us/134237

CVE-2019-11479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479

CVE-2019-11479
https://nvd.nist.gov/vuln/detail/CVE-2019-11479

CVE-2019-11479 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-11479

CVE-2019-11479 | SUSE
https://www.suse.com/security/cve/CVE-2019-11479

CVE-2019-11479 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11479.html

CVE-2019-11479
https://security.archlinux.org/CVE-2019-11479

CVE-2019-11479
https://security-tracker.debian.org/tracker/CVE-2019-11479

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.