The recently published CVE-2019-11477 and CVE-2019-11478 attacks enable an attacker with access to a TCP port on your server (most everyone, including those with web or mail servers) to either:
- Slow it down severely
- Cause a kernel crash
See the NIST publication for more detail:
https://nvd.nist.gov/vuln/detail/CVE-2019-11477
Upstream distributions have released fixes for these as follows. The 2019-11478 vulnerability is an issue as well, but the -11477 issue has higher impact so we are listing it here. So far as I have seen, the fix for both is in the same package version so you only need to reference the -11477 articles:
Mitigation
You can mitigate this attack with iptables. If you are using fwtree, our latest release for el6 and el7 includes the mitigation (version 1.0.1-70 or newer). Of course it is best to update your kernel, but this provides a quick fix without rebooting:
# [ -d /etc/fwtree.d ] && yum install -y fwtree && systemctl reload fwtree && iptables-save | grep MITIGATIONS
You can also do it directly with iptables:
# iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP # ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
You can also disable TCP selective acks in sysctl:
# Add this to /etc/sysctl.conf
net.ipv4.tcp_sack=0
Red Hat / CentOS / Scientific Linux
Vendor security article: https://access.redhat.com/security/cve/cve-2019-11477
Fixed Versions
- el5: not vulnerable (and EOL, so upgrade already!)
- el6: kernel-2.6.32-754.15.3.el6
- el7: kernel-3.10.0-957.21.3.el7
Ubuntu
Vendor security article: https://usn.ubuntu.com/4017-1/
Fixed Versions
- Ubuntu 19.04
- 5.0.0.1008.8
- Ubuntu 18.10
- 4.18.0.22.23
- Ubuntu 18.04 LTS
- 4.15.0-52.56
- Ubuntu 16.04 LTS
- 4.15.0-52.56~16.04.1
- 4.4.0-151.178
Debian
Vendor security article: https://security-tracker.debian.org/tracker/CVE-2019-11477
Fixed Versions
- jessie
- 3.16.68-2
- 4.9.168-1+deb9u3~deb8u1
- stretch
- 4.9.168-1+deb9u3
- sid
- 4.19.37-4
SuSE
Vendor security article: https://www.suse.com/security/cve/CVE-2019-11477/
Fixed Versions
For SuSE, there are too many minor version releases to list them all here. To generalize, if you are running a newer kernel than these then you are probably okay, but double-check the vendor security article for your specific release and use case:
- Pre SLES-15:
- 3.12.61-52.154.1
- 4.4.121-92.114.1
- 4.4.180-94.97.1
- 4.12.14-95.19.1
- SLES 15
- 4.12.14-150.22.1
- Leap 15
- 4.12.14-lp150.12.64.1
Vanilla Upstream Kernel (kernel.org)
Security patch: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff
Fixed Versions
- 5.1.11
- 4.19.52
- 4.14.122
- 4.9.182
- 4.4.182
- 3.16.69