Return
-
Title
SACK PANIC vulnerability - CVE-2019-11477, CVE-2019-11478 -
Description
This knowledge article contains a resolution for the following vulnerabilities CVE-2019-11477 and CVE-2019-11478.
-
Cause
CVE-2019-11477, known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system, which could result in a system crash (kernel panic).
CVE-2019-11478 is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue.
-
Resolution
Warning
- These actions will taint the firmware, which will prevent the upgrade of the appliance.
Remove the tainted files before the next upgrade.
- This patch might be needed to re-apply on certain version after upgrades, if not included in the new version.
Resolution
- Login to boot shell, and use the following command to set kernel parameters:
sysctl -w net.ipv4.tcp_sack=0
- To make it permanent, make sure that /etc/sysctl.conf has the following entry:
net.ipv4.tcp_sack = 0
- These actions will taint the firmware, which will prevent the upgrade of the appliance.