Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4528 TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 2 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiAnalyzer FortiAP FortiSwitch FortiGate Publisher: FortiGuard Operating System: Linux variants Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11479 CVE-2019-11478 CVE-2019-11477 Reference: ASB-2019.0174 ESB-2019.4316 ESB-2019.3612 ESB-2019.2171 ESB-2019.2132.3 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-180 - --------------------------BEGIN INCLUDED TEXT-------------------- TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 IR Number : FG-IR-19-180 Date : Nov 29, 2019 Risk : 4/5 Impact : Denial of Service CVE ID : CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 Summary CVE-2019-11477: The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could use this to cause a denial of service. CVE-2019-11478: The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. A remote attacker could use this to cause a denial of service. CVE-2019-11479: The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. A remote attacker could use this to cause a denial of service. Impact Denial of Service Affected Products The following products are potentially impacted by CVE-2019-11477: FortiAnalyzer FortiAP FortiSwitch The following products are potentially impacted by CVE-2019-11478: FortiGate FortiAnalyzer FortiAP FortiSwitch The following products are potentially impacted by CVE-2019-11479: FortiGate FortiAnalyzer FortiAP FortiSwitch Solutions FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above Workaround: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: config system global set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default= 48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default= 48)) end Workaround for FortiGate: The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/ encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. References o https://github.com/Netflix/security-bulletins/blob/master/advisories/ third-party/2019-001.md - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXeSAbWaOgq3Tt24GAQjZMhAAvsmFPyKqDbcbfCVOJovLaBVPSp29iszy P/qlQ5iC3irob1js1YbYftN7kxxS/4QuYvCTpr7ao/NtErJ/J1TYJhAufEblU7Sl q+AkMcqqzZOCkIuU6AsS5jZvBD3QmdukYms+7UQ1yvt2h4x7eGMefbPDjclgCUDT drdb3zOqxSLE7kiC+Rr2D0yEQMwY2hvGuxwuLMwYugXXKpa3q1h6n2VrsNO3u+4X sagNEOlNZh+HqiWsbkDbDAJJZe9RuwBR35clD1Vax4jaEQ7d2MfwGWlqq8SoC93a SAjaTYh6wwK5e0dCTDcImGF2vhC9dw1bUix+Ku7cJ6w2/ngNsGY82hAHBknLqaGW OnXCMwSg1VlfJl3bitqa75Fo+Nde6T97A61dBcGZVE9VDyD/9A0uEd+Zn5FsKnAv Kk67vnOXSF6mCBFB7dIklKwd7VTsQM8Q8+tFskKWHW3f6V2tu9aWEto9tc0+kknM l/pW3B9VMRSsw17sWegCqtux4XHZNEg5q0OQqcjkEOKdtVa7dV+PNn4sFVbcSyVx gjyiUuSnXbHNMBKpx/waNCUg5wWOJM79opWZVPb7f7bAGQmeRriAWIIK3YXxGJA/ CsvC3dQnaqOpIvLnS4IuhqfkUhxHdxFnA7wld5lAvCX8hUEdjs67MLFbkuYNHOGS UXdA7fcIIiY= =FFn7 -----END PGP SIGNATURE-----