Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2019-11479 - log back

CVE-2019-11479 created at 25 Sep 2019 19:31:40

Severity

+

Medium

Remote

+

Remote

Type

+	Denial of service

Description

+

An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.

References

+	https://www.openwall.com/lists/oss-security/2019/06/17/5
+	https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+	https://access.redhat.com/security/vulnerabilities/tcpsack
+	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
+	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6

Notes

+	Workaround:
+
+	$ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
+
+	IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Ensure it is disabled using the following command:
+
+	$ sysctl net.ipv4.tcp_mtu_probing
+	net.ipv4.tcp_mtu_probing = 0