TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

Summary

CVE-2019-11477: The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could use this to cause a denial of service.

CVE-2019-11478: The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. A remote attacker could use this to cause a denial of service.

CVE-2019-11479: The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. A remote attacker could use this to cause a denial of service.

Affected Products

The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: The following products are potentially impacted by CVE-2019-11477: FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSiem FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: The following products are potentially impacted by CVE-2019-11478: FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: The following products are potentially impacted by CVE-2019-11479: FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiGate FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAnalyzer FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiAP FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch FortiSwitch

Solutions

FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above. FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiAP: Please upgrade to 6.0.6 and above or 6.2.1 and above FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. FortiSiem: Please upgrade to 5.2.5 and above. Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: Workaround for FortiSwitch: The workaround for FortiSwitch is to block connections with low MSS values. The administrator can apply a higher or lower MSS limit as appropriate for their environment. Versions 3.6.11 and above; 6.0.5 and above and 6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global config system global set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48)) end end end end end end end end end end end end end end end Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: Workaround for FortiGate: The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention. The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). The MSS value can be changed by the customer to a value that is more appropriate for their environment. To do so, customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention.