Overview
This article outlines the details of the TCP SACK PANIC kernel vulnerability and how it impacts Sophos products.
Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.
These have been assigned the following CVEs:
- CVE-2019-11477 is considered an Important severity
- CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity
Applies to the following Sophos products and versions
| Product | Affected | Release Plan |
|---|---|---|
| Sophos XG Firewall | Yes | Fixed version XG v17.5MR-7 Released |
| Sophos UTM | Yes | Fixed version UTM 9.604 Released |
| Cyberoam | Yes | End of July |
| Sophos Firewall Manager | No | – |
| Sophos UTM Manager | Yes | Fixed version SUM4.309 Released |
| Sophos Email Appliance | No | – |
| Sophos Web Appliance | Yes |
Fixed version 4.3.8.1 Released |
| Sophos RED | No | – |
| Sophos AP/APX | No | – |
| Sophos iview | No | – |
| Sophos Central Firewall Manager | No | – |
| Sophos for Virtual Environments | Yes | Mid of July |
Impact
CVE-2019-11477
- A remote attacker could exploit this to crash the system resulting in a Denial of Service.
CVE-2019-11478
- The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. This could cause the CPU to spend an excessive amount of time attempting to reconstruct the list, resulting in a Denial of Service.
CVE-2019-11479
- The Linux kernel is vulnerable to a flaw that allows attackers to send crafted packets with low MSS values to trigger excessive resource consumption. The system will then work at reduced capacity resulting in a Denial of Service for some users.
What to Do
Sophos is actively working to resolve this issue with high priority.
In the meantime, users can follow the workaround instructions outlined below.
Workaround
To resolve this vulnerability while a permanent fix is being developed, users can disable selective acknowledgments system-wide for all newly established TCP connections.
Sophos XG Firewall
Disable selective acknowledgements in the console. This workaround is reboot-persistent.
Note:Disabling SACK may reduce performance in case of packet loss.
- Log into XG Console > Select Option 4
set advanced-firewall tcp-selective-acknowledgement off
To verify:show advanced-firewall
TCP Selective Acknowledgements: off
Update: SFOS version 17.5 MR7 resolves this vulnerability. If the workaround mentioned above was already implemented in your XG Firewall and then you upgraded to version 17.5 MR7, enable the TCP SACK by running the command set advanced-firewall tcp-selective-acknowledgement on.
Sophos UTM
There are two available workarounds that are reboot-persistent. Each workaround has caveats. Users may prefer one workaround over the other.
- Limiting MSS size which works for all three CVEs
- Disabling Selective Ack which only resolves CVE-2019-11477 (critical) and CVE-2019-11478
Limiting MSS Size
This workaround mitigates all three CVE vulnerabilities.
Note: A side effect of this change is that it may disrupt legitimate traffic that relies on low MSS values.
- Disable MTU probing:
echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.confsysctl -p
- Add the following line to
/var/mdw/etc/iptables/iptable.filterafter(:USR_OUTPUT - [0:0])line at line 29 for UTM v9.603:
-A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
Disabling Selective ACK
This workaround mitigates only CVE-2019-11477 and CVE 2019-11478.
Note: A side effect of this change is that disabling SACK may result in reduced performance in case of packet loss.
echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.confsysctl -p
Note: The changes in /etc/sysctl.conf for both workarounds should be removed once the UTM is updated to v9.604, which includes a permanent fix.
Cyberoam
Disable selective acknowledgement in the console. This workaround is reboot persistent.
Note: Disabling SACK may reduce performance in case of packet loss.
- Login to XG Console> Select Option 4
set advanced-firewall tcp-selective-acknowledgement off
- To verify:
show advanced-firewall
TCP Selective Acknowledgements : off
Sophos UTM Manager
Use the related workarounds available for the Sophos UTM.
Sophos Web Appliance
- Version 4.3.8.1 includes a fix for this issue. It will be released during the week beginning 15 July 2019.
- Appliances set to auto-update should pick up the new version within a few days.
- Customers who have disabled auto-updating should apply the update as soon as possible.
- For more information, see this blog post: Release of SWA version 4.3.8.1 – addressing the TCP SACK PANIC vulnerability.
Sophos for Virtual Environments
Customers are able to manually mitigate these vulnerabilities on Security VMs by following the below steps:
- Access the Security VM terminal via Hyper-V remote connection, VMware Console or SSH
- Log into the Security VM with your credentials
- Run the command:
sudo sysctl -w net.ipv4.tcp_sack=0
Note: This modification will need to be reapplied following every reboot of the Security VM. We are releasing Sophos for Virtual Environments 1.3.2 in July 2019 to address these vulnerabilities.
Related information
Sign up to the Sophos Support SMS Notification Service to get the latest information product releases and critical issues.
Feedback and contact
If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
Your input is invaluable and helps us as we continually strive to give our customers the best information possible.