CVE-2019-11479

Source
Severity Medium
Remote Yes
Type Denial of service
Description
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
Group Package Affected Fixed Severity Status Ticket
AVG-986 linux-hardened 5.1.10.a-1 5.1.11.a-1 High Fixed
AVG-985 linux-zen 5.1.10.zen1-1 5.1.11.zen1-1 High Fixed
AVG-984 linux-lts 4.19.51-1 4.19.52-1 High Fixed
AVG-983 linux 5.1.10.arch1-1 5.1.11.arch1-1 High Fixed
Date Advisory Group Package Severity Description
18 Jun 2019 ASA-201906-15 AVG-985 linux-zen High denial of service
18 Jun 2019 ASA-201906-14 AVG-984 linux-lts High denial of service
18 Jun 2019 ASA-201906-13 AVG-983 linux High denial of service
17 Jun 2019 ASA-201906-12 AVG-986 linux-hardened High denial of service
References
https://www.openwall.com/lists/oss-security/2019/06/17/5
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://access.redhat.com/security/vulnerabilities/tcpsack
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
Notes
Workaround:

$ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Ensure it is disabled using the following command:

$ sysctl net.ipv4.tcp_mtu_probing
net.ipv4.tcp_mtu_probing = 0