ASA-201906-13 generated external raw

[ASA-201906-13] linux: denial of service
Arch <a href="/package/linux">Linux</a> Security Advisory ASA-201906-13 ========================================== Severity: High Date : 2019-06-18 CVE-ID : CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 Package : linux Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-983 Summary ======= The package <a href="/package/linux">linux</a> before version 5.1.11.arch1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 5.1.11.arch1-1. # pacman -Syu "linux>=5.1.11.arch1-1" The problems have been fixed upstream in version 5.1.11.arch1. Workaround ========== - CVE-2019-11477 and CVE-2019-11478 $ sudo sysctl -w net.ipv4.tcp_sack=0 The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable. - CVE-2019-11479 $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Description =========== - CVE-2019-11477 (denial of service) An integer overflow has been discovered in the <a href="/package/linux">Linux</a> kernel when handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may be crafted such that one can trigger a kernel panic. A remote attacker could use this to cause a denial of service (system crash). - CVE-2019-11478 (denial of service) An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the <a href="/package/linux">Linux</a> kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection. - CVE-2019-11479 (denial of service) An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the <a href="/package/linux">Linux</a> kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS. Impact ====== A remote attacker is able to crash the system by sending specially crafted TCP packets. References ========== https://www.openwall.com/lists/oss-security/2019/06/17/5 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6 https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479