Advisory: TCP SACK PANIC kernel vulnerability

Overview

This article outlines the details of the TCP SACK PANIC kernel vulnerability and how it impacts Sophos products.

Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.

These have been assigned the following CVEs:

  • CVE-2019-11477 is considered an Important severity
  • CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity

Applies to the following Sophos products and versions

Product Affected Release Plan
Sophos XG Firewall Yes Fixed version XG v17.5MR-7 Released
Sophos UTM Yes Fixed version UTM 9.604 Released
Cyberoam Yes End of July
Sophos Firewall Manager No
Sophos UTM Manager Yes Fixed version SUM4.309 Released
Sophos Email Appliance No
Sophos Web Appliance Yes

Fixed version 4.3.8.1

Released

Sophos RED No
Sophos AP/APX No
Sophos iview No
Sophos Central Firewall Manager No
Sophos for Virtual Environments Yes Mid of July

Impact

CVE-2019-11477

  • A remote attacker could exploit this to crash the system resulting in a Denial of Service.

CVE-2019-11478

  • The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. This could cause the CPU to spend an excessive amount of time attempting to reconstruct the list, resulting in a Denial of Service.

CVE-2019-11479

  • The Linux kernel is vulnerable to a flaw that allows attackers to send crafted packets with low MSS values to trigger excessive resource consumption. The system will then work at reduced capacity resulting in a Denial of Service for some users.

What to Do

Sophos is actively working to resolve this issue with high priority.

In the meantime, users can follow the workaround instructions outlined below.

Workaround

To resolve this vulnerability while a permanent fix is being developed, users can disable selective acknowledgments system-wide for all newly established TCP connections.

Sophos XG Firewall

Disable selective acknowledgements in the console. This workaround is reboot-persistent.

Note:Disabling SACK may reduce performance in case of packet loss.

  • Log into XG Console > Select Option 4
    • set advanced-firewall tcp-selective-acknowledgement off
  • To verify:
    • show advanced-firewall

      TCP Selective Acknowledgements: off

Update: SFOS version 17.5 MR7 resolves this vulnerability. If the workaround mentioned above was already implemented in your XG Firewall and then you upgraded to version 17.5 MR7, enable the TCP SACK by running the command set advanced-firewall tcp-selective-acknowledgement on.

Sophos UTM

There are two available workarounds that are reboot-persistent. Each workaround has caveats. Users may prefer one workaround over the other.

  1. Limiting MSS size which works for all three CVEs
  2. Disabling Selective Ack which only resolves CVE-2019-11477 (critical) and CVE-2019-11478

Limiting MSS Size

This workaround mitigates all three CVE vulnerabilities.

Note: A side effect of this change is that it may disrupt legitimate traffic that relies on low MSS values.

  • Disable MTU probing:
  • echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
  • sysctl -p
  • Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:
  • -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Related:

  • No Related Posts

Leave a Reply