PSIRT Advisory

TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

Summary

CVE-2019-11477:

The Linux kernel is vulnerable to an integer overflow in the 16 bit width of  TCP_SKB_CB(skb)->tcp_gso_segs.  A remote attacker could use this to cause a denial of service. 

CVE-2019-11478:
The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. A remote attacker could use this to cause a denial of service. 


CVE-2019-11479:

The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. A remote attacker could use this to cause a denial of service.

Impact

Denial of Service

Affected Products

The following products are potentially impacted by CVE-2019-11477: 

FortiAnalyzer
FortiAP
FortiSwitch


The following products are potentially impacted by CVE-2019-11478:

FortiGate
FortiAnalyzer
FortiAP
FortiSwitch


The following products are potentially impacted by CVE-2019-11479: 

FortiGate
FortiAnalyzer
FortiAP
FortiSwitch

Solutions

FortiAnalyzer: Please upgrade to 6.0.7 and above or 6.2.1 and above.
FortiAP:  Please upgrade to 6.0.6 and above or 6.2.1 and above 


Workaround: 

Workaround for FortiSwitch: 


The workaround for FortiSwitch is to block connections with low MSS values.  The administrator can apply a higher or lower MSS limit as appropriate for their environment. 
Versions 3.6.11 and above; 6.0.5 and above and  6.2.2 and above support the following CLI commands that allow the administrator to configure a minimum MSS value: 

config system global
set tcp-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48))
set tcp6-mss-min ( Minumum allowed TCP MSS value in bytes (48-10000, default=48))
end 

Workaround for FortiGate: 

The IPS signature Linux.Kernel.TCP.SACK.Panic.DoS (https://www.fortiguard.com/encyclopedia/ips/48103/linux-kernel-tcp-sack-panic-dos) can be used to block connections with small MSS values (By default smaller than 60 bytes). 

The MSS value can be changed by the customer to a value that is more appropriate for their environment. 

To do so,  customers need to write their own IPS signature. In the GUI, it is under Security profiles --> Intrusion Prevention.