icon

We found results for “

CVE-2019-11477

Date: June 18, 2019

Overview

A kernel panic or a denial of service in Linux can be triggered by an integer overflow. An attacker sends a crafted sequence of selective acknowledgments (SACK) on a TCP with a small value of MSS leading to a crash.

Details

SACK or selective acknowledgment is a part of the loss detection mechanism in TCP. A data receiver uses SACK to confirm the receipt of successful segments. This enables the senders to retransmit missing segments from a stream. In case a stream transmission was incomplete, SACK eliminates the need for larger retransmits. Thus, enabling SACK improves the efficiency of a network. Any TCP segment has a header that contains information about the segment size. Specifically, MSS or maximum segment size tells the receiving device the largest amount of data it can receive in bytes. If the MSS value is too small, the number of segments is increased significantly. This can cause congestions and result in a complete stall. Usually, the MSS is set to default values by the operating systems. A malicious actor leverages privileged access to manipulate the MSS value. A crafted sequence of SACK segments with a small MSS value is used to carry out the attack. The integer overflow occurs in the TCP_SKB_CB(skb)->tcp_gso_segs value when such an attack is accomplished.

Affected Environments

All Linux OS based systems with kernel version 2.6.29 or above

Prevention

Disable SACK Drop connection for low MSS value fragments

Language: C

Good to know:

icon
icon

Integer Overflow or Wraparound

CWE-190
icon

Upgrade Version

Upgrade to version v5.2-rc6

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Complete
Additional information:

Related Resources (32)