Linux Kernel TCP Selective Acknowledgement Vulnerabilities


WDC Tracking Number: WDC-19010
Published: July 15, 2019

Last Updated: July 15, 2019

Description

Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size. The extent of impact at this time is understood to be limited to resource exhaustion and, in the case of CVE-2019-11477, system availability. No potential for privilege escalation or information leak is currently suspected.

While mitigations shown in this article are available, they might affect system performance as well as traffic from legitimate sources. Please evaluate the mitigation that is appropriate for the system’s environment before applying.

Affected Products:

All ActiveScale OS (AOS) versions up to and including 5.5.0 and Active Archive EasiScale (ES) operating system versions up to and including version 4.3.0 are affected by these vulnerabilities. Tables AOS-SACK Vulnerability Matrix and ES-SACK Vulnerability Matrix indicate details and recommended actions.

ActiveScale AOS-SACK Vulnerability Matrix

AOS 5.4.1 and previous versions
CVE-2019-11477
Vulnerable
Update to 5.5.0 Patch 1
CVE-2019-11478
Vulnerable
Update to 5.5.0 Patch 1
CVE-2019-11479
Vulnerable
Upgrade to 5.5.0 Patch 1
and contact your support provider to
set desired MSS value

Active Archive ES-SACK Vulnerability Matrix

CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Update Availability:

Western Digital is releasing a software patch release for ActiveScale Systems to address the vulnerabilities and recommends upgrading all deployed systems.

Product Impact
Last Updated
ActiveScale X100 and P100 running
AOS 5.5.0 or previous AOS versions
July 15, 2019
  • ActiveScale OS 5.5.0 Patch 1 which addresses the vulnerabilities identified in this arcicle was released on July 30, 2019. Upgrading is recommended for all customers.
  • Customers may receive patches for software for which they have a valid service agreement procured from Western Digital directly, or through a Western Digital authorized reseller or partner. In most cases, this will be a patch to software that was previously licensed. Security software updates do not entitle customers to a new service agreement or software license, additional software feature sets, or major revision upgrades.
  • Release notes will be made available on the Western Digital Enterprise Support Center. Customers can call Western Digital support or submit a support ticket request to schedule an upgrade.
  • Customers who purchased directly from Western Digital but do not hold a Western Digital service contract should obtain upgrades by calling Western Digital support.

Advisory Summary

Three related flaws were found in the Linux kernel’s handling of TCP networking. The issues have been assigned multiple CVEs: CVE-2019-11477 , CVE-2019-11478 and CVE-2019-11479.

The most severe of the three vulnerabilities known as SACK Panic CVE-2019-11477 could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability. CVE-2019-11478 and CVE-2019-11479, while less severe could still lead to a potential resource exhaustion on affected systems.

These issues are corrected either through applying mitigations or Linux kernel patches. Patches are released for CVE-2019-11477 and CVE-2019-11478. The vulnerability described in CVE-2019-1149 is primarily due to the TCP specifications not defining a minimum value for the Minimum Segment Size (MSS).

The option to set the Minimum Segment Size has been added to Linux upstream and is distributed downstream available in most recent versions. Note that limitations to MSS cannot be applied automatically and must be made on a case-by-case basis because it may break valid TCP connections.

Western Digital incorporated these kernel patches and the ability to set the MSS in software patches.

Mitigations

For mitigations, contact Western Digital support by calling or submitting a support ticket request.

CVE Number: CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
Reported by: Jonathan Looney