Operating System:

[LINUX][Appliance]

Published:

02 December 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.4528 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4528
           TCP SACK panic attack- Linux Kernel Vulnerabilities-
              CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479
                              2 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiAnalyzer
                   FortiAP
                   FortiSwitch
                   FortiGate
Publisher:         FortiGuard
Operating System:  Linux variants
                   Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11479 CVE-2019-11478 CVE-2019-11477

Reference:         ASB-2019.0174
                   ESB-2019.4316
                   ESB-2019.3612
                   ESB-2019.2171
                   ESB-2019.2132.3

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-19-180

- --------------------------BEGIN INCLUDED TEXT--------------------

TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477,
CVE-2019-11478 & CVE-2019-11479

IR Number : FG-IR-19-180
Date      : Nov 29, 2019
Risk      : 4/5
Impact    : Denial of Service
CVE ID    : CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Summary

CVE-2019-11477:

The Linux kernel is vulnerable to an integer overflow in the 16 bit width of
TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could use this to cause a
denial of service.

CVE-2019-11478:
The Linux kernel is vulnerable to a flaw that allows attackers to send a
crafted sequence of SACKs which will fragment the TCP retransmission queue. An
attacker might be able to further exploit the fragmented queue to cause an
expensive linked-list walk for subsequent SACKs received for that same TCP
connection. A remote attacker could use this to cause a denial of service.

CVE-2019-11479:

The Linux kernel is vulnerable to a flaw that allows attackers to send a
crafted packets with low MSS values to trigger excessive resource consumption.
An attacker can force the Linux kernel to segment its responses into multiple
TCP segments, each of which contains only 8 bytes of data. This drastically
increases the bandwidth required to deliver the same amount of data. This
attack requires continued effort from the attacker and the impacts will end
shortly after the attacker stops sending traffic. A remote attacker could use
this to cause a denial of service.

Impact

Denial of Service

Affected Products

The following products are potentially impacted by CVE-2019-11477:

FortiAnalyzer
FortiAP
FortiSwitch

The following products are potentially impacted by CVE-2019-11478:

FortiGate
FortiAnalyzer
FortiAP
FortiSwitch

The following products are potentially impacted by CVE-2019-11479:

FortiGate
FortiAnalyzer
FortiAP
FortiSwitch

Solutions

FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above.
FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above

Workaround:

Workaround for FortiSwitch:

The workaround for FortiSwitch is to block connections with low MSS values. The
administrator can apply a higher or lower MSS limit as appropriate for their
environment.
Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the
following CLI commands that allow the administrator to configure a minimum MSS
value:

config system global
set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=
48))
set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=
48))
end

Workaround for FortiGate:

The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/
encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block
connections with small MSS values (By default smaller than 60 bytes).

The MSS value can be changed by the customer to a value that is more
appropriate for their environment.

To do so, customers need to write their own IPS signature. In the GUI, it is
under Security profiles --> Intrusion Prevention.

References

  o https://github.com/Netflix/security-bulletins/blob/master/advisories/
    third-party/2019-001.md

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXeSAbWaOgq3Tt24GAQjZMhAAvsmFPyKqDbcbfCVOJovLaBVPSp29iszy
P/qlQ5iC3irob1js1YbYftN7kxxS/4QuYvCTpr7ao/NtErJ/J1TYJhAufEblU7Sl
q+AkMcqqzZOCkIuU6AsS5jZvBD3QmdukYms+7UQ1yvt2h4x7eGMefbPDjclgCUDT
drdb3zOqxSLE7kiC+Rr2D0yEQMwY2hvGuxwuLMwYugXXKpa3q1h6n2VrsNO3u+4X
sagNEOlNZh+HqiWsbkDbDAJJZe9RuwBR35clD1Vax4jaEQ7d2MfwGWlqq8SoC93a
SAjaTYh6wwK5e0dCTDcImGF2vhC9dw1bUix+Ku7cJ6w2/ngNsGY82hAHBknLqaGW
OnXCMwSg1VlfJl3bitqa75Fo+Nde6T97A61dBcGZVE9VDyD/9A0uEd+Zn5FsKnAv
Kk67vnOXSF6mCBFB7dIklKwd7VTsQM8Q8+tFskKWHW3f6V2tu9aWEto9tc0+kknM
l/pW3B9VMRSsw17sWegCqtux4XHZNEg5q0OQqcjkEOKdtVa7dV+PNn4sFVbcSyVx
gjyiUuSnXbHNMBKpx/waNCUg5wWOJM79opWZVPb7f7bAGQmeRriAWIIK3YXxGJA/
CsvC3dQnaqOpIvLnS4IuhqfkUhxHdxFnA7wld5lAvCX8hUEdjs67MLFbkuYNHOGS
UXdA7fcIIiY=
=FFn7
-----END PGP SIGNATURE-----