W celu utrzymania najwyższego poziomu bezpieczeństwa na swoich serwerach, zapraszamy do zapoznania się z następującymi instrukcjami bezpieczeństwa, dotyczącymi luk w zabezpieczeniach niektórych systemów Linux oraz FreeBSD i w razie potrzeby do zastosowania wskazanych aktualizacji.
1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29) - CVSS di 7.5
Description: A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
Workaround #1: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl). Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).
(Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.)
2: CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
Description: It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an attacker may be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.
Workaround #1: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl). Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).
(Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.)
References:
Please consider these vulnerabilities as high level.
-----------------------------------------------------------------------------------------
W przypadku jakichkolwiek pytań prosimy o kontakt z naszym działem obsługi klienta.