SACK PANIC vulnerability - CVE-2019-11477, CVE-2019-11478 (4285075)

Converse agora com nosso suporte

Voltar

Feedback enviado

Este artigo resolveu um problema para você?

Selecione a classificação

Título

SACK PANIC vulnerability - CVE-2019-11477, CVE-2019-11478
Descrição

This knowledge article contains a resolution for the following vulnerabilities CVE-2019-11477 and CVE-2019-11478.
Causa

CVE-2019-11477, known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system, which could result in a system crash (kernel panic).
CVE-2019-11478 is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue.
Resolução
Warning
- These actions will taint the firmware, which will prevent the upgrade of the appliance.
  Remove the tainted files before the next upgrade.
- This patch might be needed to re-apply on certain version after upgrades, if not included in the new version.
Resolution
- Login to boot shell, and use the following command to set kernel parameters:
sysctl -w net.ipv4.tcp_sack=0
- To make it permanent, make sure that /etc/sysctl.conf has the following entry:
net.ipv4.tcp_sack = 0

Feedback enviado

Este artigo resolveu um problema para você?

Selecione a classificação

Conteúdo recomendado

Produto(s):: One Identity Safeguard for Privileged Sessions
6.0 LTS, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5, 4, 3, 5.6.0c; syslog-ng Store Box
6.10.0, 6.9.0, 6.8.0, 6.7.0, 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.0, 6.0.2, 6.0.1, 6.0, 5.3.0, 5.2.0, 5.1.0, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 4.0.7, 4.9.1

Título