OVHcloud Bare Metal Cloud Status

Current status
Legend
  • Operational
  • Degraded performance
  • Partial Outage
  • Major Outage
  • Under maintenance
SACK Vulnerabilities - CVE-2019-11477 / CVE-2019-11478 / CVE-2019-11479
Scheduled Maintenance Report for Bare Metal Cloud
Completed
Yesterday, at 7pm CEST, 4 vulnerabilities have been disclosed affecting the TCP stack of the Linux kernel. These vulnerabilities relies on an integer overflow in the Linux kernel which can lead to a kernel panic on one hand, and on an algorithmic complexity in the SACK implementation leading to CPU resource exhaustion on the other hand. In both cases, the impact is the service availability.

* Who is vulnerable?

- All Linux OSes with kernels after 2.6.29 (March 2009)
- FreeBSD 12 using the RACK TCP Stack, note that fortunately, this is not the default stack, you can run `sysctl net.inet.tcp.cc.algorithm` to check on your system, if it's not \"rack\", you're safe
- If you expose a TCP service on the Internet (web service, ssh, rpc, ...), your system is potentially affected since the attack only needs the TCP link to be established to succeed
- If your service is behind a firewall, or iptables/pf is setup to open the service only to trusted IPs, you are safe

* How to fix?

- There are 3 possibilities, you only need to pick ONE of them:

1. Update your kernel (the major distros have already released the fix):
Linux version 4.4.182 or above
Linux version 4.9.182 or above
Linux version 4.14.127 or above
Linux version 4.19.52 or above
Linux version 5.1.11 or above
Note that the Linux version 3.16 branch has not been announced as being patched yet.
Have a look at your Linux distro website (Ubuntu, Red Hat, SuSE, ...) for more details, as your vendor might have backported the patch on its own kernel version.

2. The firewall mitigation
The attack is based on a small MSS option which is very unusual in standard network communication. Consequently, you can drop all packets with a small MSS option in order to prevent your system from the attack.
For instance, the iptables rules may look like :
# iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss -mss 1:500 -j DROP -m comment --comment \"Drop small MSS packets to prevent TCP SACK attacks. (ipv4)\"
# ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss -mss 1:500 -j DROP -m comment --comment \"Drop small MSS packets to prevent TCP SACK attacks. (ipv6)\"

3. Disable SACK (not recommended)
Since the root cause of the vulnerability is an issue in the SACK handling, you also can disable SACK in your kernel. It may have a huge impact on your performance and we don't recommend this mitigation.

* Is the exploit public?

- As far as we know (2019-06-18), no public exploit are public yet but this is probably a matter of hours/days.

* Identification numbers

- CVE-2019-11477: SACK Panic (Linux >= 2.6.29) | CVSS: 8.2
- CVE-2019-11477: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions) | CVSS: 8.2
- CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack) | CVSS: ?? (low severity)
- CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions) | CVSS: 7.5

* External References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://access.redhat.com/security/vulnerabilities/tcpsack
https://aws.amazon.com/fr/security/security-bulletins/AWS-2019-005/
https://bugzilla.suse.com/show_bug.cgi?id=1137586

Update(s):

Date: 2019-06-18 15:24:17 UTC
Bare-metal servers are now installing 4.9.182 kernels which are safe regarding these vulnerabilities.
The Netboot has also been patched.
Posted Jun 18, 2019 - 10:18 UTC