Arch Linux Security Advisory ASA-201906-15 ========================================== Severity: High Date : 2019-06-18 CVE-ID : CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 Package : linux-zen Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-985 Summary ======= The package linux-zen before version 5.1.11.zen1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 5.1.11.zen1-1. # pacman -Syu "linux-zen>=5.1.11.zen1-1" The problems have been fixed upstream in version 5.1.11.zen1. Workaround ========== - CVE-2019-11477 and CVE-2019-11478 $ sudo sysctl -w net.ipv4.tcp_sack=0 The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable. - CVE-2019-11479 $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Description =========== - CVE-2019-11477 (denial of service) An integer overflow has been discovered in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may be crafted such that one can trigger a kernel panic. A remote attacker could use this to cause a denial of service (system crash). - CVE-2019-11478 (denial of service) An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection. - CVE-2019-11479 (denial of service) An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS. Impact ====== A remote attacker is able to crash the system by sending specially crafted TCP packets. References ========== https://www.openwall.com/lists/oss-security/2019/06/17/5 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-p... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479