Issues have been identified in the way the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. These TCP SACK Panic vulnerabilities could expose servers to a denial of service attack, so it is crucial to have systems patched.
Updated versions of the Linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESMusers.
It is recommended to update to the latest kernel packages and consult Ubuntu Security Notices for further updates.
Ubuntu Advantage for Infrastructure subscription customers can find the latest status information in our Knowledge Base and file a support case with Canonical support for any additional questions or concerns around SACK Panic.
Canonical’s Kernel Livepatch updates for security vulnerabilities related to TCP SACK processing in the Linux kernel have been released and are described by CVEs 2019-11477 and 2019-11478, with details of the patch available in LSN-0052-1.
These CVEs have a Livepatch fix available, however, a minimum kernel version is required for Livepatch to install the fix as denoted by the table in LSN-0052-1, reproduced here:
| Kernel | Version | flavors | |--------------------------+----------+--------------------------| | 4.4.0-148.174 | 52.3 | generic, lowlatency | | 4.4.0-150.176 | 52.3 | generic, lowlatency | | 4.15.0-50.54 | 52.3 | generic, lowlatency | | 4.15.0-50.54~16.04.1 | 52.3 | generic, lowlatency | | 4.15.0-51.55 | 52.3 | generic, lowlatency | | 4.15.0-51.55~16.04.1 | 52.3 | generic, lowlatency |
Livepatch fixes for CVEs 2019-11477 and 2019-11478 are not available for prior kernels, and an upgrade and reboot to the appropriate minimum version is necessary. These kernel versions correspond to the availability of mitigations for the MDS seriesof CVEs (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091).
Additionally, a third SACK related issue, CVE-2019-11479, does not have a Livepatch fix available because it is not technically feasible to apply the changes via Livepatch.
SACK Panic and Other TCP Denial of Service Issues
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Jonathan Looney discovered several flaws in the way that the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. A remote attacker could use these issues to perform denial of service attacks on a server.
Three CVEs have been assigned to these issues:
- CVE-2019-11477 for a remote denial of service (system crash) known as SACK Panic
- CVE-2019-11478 for a remote denial of service (resource exhaustion)
- CVE-2019-11479 for a remote denial of service (resource exhaustion)
CVE-2019-11477 is the highest severity issue because a remote attacker can leverage it to immediately crash a system due to an integer overflow when processing TCP SACKs. It affects all current Ubuntu releases.
CVE-2019-11478 is also severe because it can have a significant impact on CPU performance when processing TCP SACKs – this affects systems running kernel versions 4.14 and older. This includes the Ubuntu 16.04 LTS base kernel and all currently maintained kernels of Ubuntu 14.04 ESM and Ubuntu 12.04 ESM.
CVE-2019-11479 can impact CPU performance while the TCP stack is handling a malicious session that was opened using a very small MSS value. The vulnerability has less of an impact than the other two issues. It affects all current Ubuntu releases. This issue will be addressed in a set of future Ubuntu kernel updates.
CVE-2019-11477 and CVE-2019-11478
You should update your kernel to the versions specified below in the Updates section and reboot. Alternatively, Canonical Livepatch updates will be available to mitigate these two issues without the need to reboot.
If neither of those options are possible at this time, you can mitigate the issue by temporarily disabling TCP SACK support:
$ sudo sysctl -w net.ipv4.tcp_sack=0 net.ipv4.tcp_sack = 0
IMPORTANT: The sysctl modification shown above is not persistent across reboots
The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable.
Ubuntu kernel updates are not yet available for CVE-2019-11479. Future Ubuntu kernel updates will be available for Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS which will provide a sysctl that allows the system administrator to define the MSS value that the system should honor when outgoing TCP segments.
In the meantime, you may use an iptables rule to define the MSS value accepted for new TCP sessions. The rule will need to be tailored to your network environment in order to ensure that you aren’t blocking TCP connections containing reasonable MSS values for your environment. The addition of a simple rule that only allows MSS values greater than 500 bytes is shown here:
$ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
Some firewalls may be implemented using nftables instead of iptables. The nftables equivalent is shown here:
$ sudo nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop
IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using either of the firewall rules shown above. Ensure it is disabled using the following command:
$ sysctl net.ipv4.tcp_mtu_probing net.ipv4.tcp_mtu_probing = 0
Ubuntu users are recommended to update to the latest kernel packages to receive updates for CVE-2019-11477 and CVE-2019-11478. The majority of users should ensure that the following kernel packages are installed:
Important: CVE-2019-11479 is not addressed in the kernel updates mentioned below. It will be fixed in a future Ubuntu kernel update.
|Ubuntu Release||Base Kernel||Enablement Kernel|
|18.04 LTS||linux-image-4.15.0-52-generic 4.15.0-52.56||linux-image-4.18.0-22-generic 4.18.0-22.23~18.04.1|
|16.04 LTS||linux-image-4.4.0-151-generic 4.4.0-151.178||linux-image-4.15.0-52-generic 4.15.0-52.56~16.04.1|
|14.04 ESM||linux-image-3.13.0-171-generic 3.13.0-171.222||linux-image-4.4.0-151-generic 4.4.0-151.178~14.04.1|
|12.04 ESM||linux-image-3.2.0-141-generic 3.2.0-141.188||linux-image-3.13.0-171-generic 3.13.0-171.222~12.04.1|
Users of other Ubuntu kernels should consult the Ubuntu Security Notices for specific version information.
For more information on these issues, please see the following reference documents: