Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could exploit this to crash the system and create a Denial Of Service.
The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. This could cause the CPU to spend excessive time attempting to reconstruct the list creating a Denial Of Service.
The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. While this attack is ongoing, the system will work at reduced capacity resulting in a Denial Of Service for some users.
After having inspected the vulnerabilities and relevant patches, the impact to Check Point products is narrowed down to the list below.
Note that Check Point cloud services on relevant platforms were already patched on 18-June-2019.
- CVE-2019-11477 - The following releases are vulnerable:
- R80.10 Security Management on Smart-1 appliances
- R80.20 Security Management
- R80.30 Security Management
- R80.20_3.10 (CloudGuard)
- R80.30_3.10 (16000/26000)
- R80.20SP + Maestro
- SMB (700/1400/1200R)
- CVE-2019-11478 - All Check Point releases are vulnerable (as this already exists in Linux for many years).
- CVE-2019-11479 - Check Point is not vulnerable to this CVE (Check Point do not compile with the vulnerable code).
The vulnerabilities are relevant for local connections only (established TCP connections to or from the Security Gateway).
Connections going through the Security Gateway for Deep Packet Inspection, and most connections to the Gateway Web Portals are not affected.
Fix in code
- R77.30 Security Management and Gateway - Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf) - Take_351 (and higher).
- R80.10 Security Management and Gateway - Jumbo Hotfix Accumulator for R80.10 (R80_10_jumbo_hf) - Take_225 (and higher).
For Smart-1 525 / 5050 / 5150 - Download and install R80.10 3.10 Kernel TCP SACK PANIC Hotfix.
The Hotfix should be installed on top of R80.10 JHF Take_203.
- R80.20 Security Management and Gateway - Jumbo Hotfix Accumulator for R80.20 (R80_20_jumbo_hf) Take_87 (and higher).
A new Hotfix, available on top of Jumbo Hotfix Accumulator for R80.20 Take 87, enables the Security Gateway to remove the SACK-permitted option from the TCP headers of packets passing through it, thereby protecting the hosts behind the Security Gateway from attacks using the SACK feature of TCP. The new global parameter provided in the Hotfix will, when set, force the Security Gateway to remove any existing SACK-permitted TCP option.
To get the Hotfix, please Contact Support. After you install the Hotfix, do the following:
1. In $FWDIR/boot/modules/fwkern.conf, add this line: tcp_sack_permitted_remove_option=1
2. In $PPKDIR/boot/modules/simkern.conf, add this line: tcp_sack_permitted_remove_option=1
3. Reboot the Security Gateway(s).
Important Note: that removing the SACK-permitted option from the TCP headers can have a performance impact on the traffic passing through the gateway. The impact depends on the quantity of lost packets.
- R80.30 Security Management and Gateway - Jumbo Hotfix Accumulator for R80.30 (R80_30_jumbo_hf) - Take_19 (and higher).
- R80.20_3.10 (CloudGuard) - Jumbo Hotfix Accumulator for R80.20 with Gaia 3.10 for AWS, Azure and Open Server Security Gateways (R80_20_3_10_jumbo_hf) - Take_19 (and higher).
- R80.30_3.10 (16000/26000) - Check Point R80.30 with Gaia 3.10 - Take_273 (and higher).
- R80.20SP + Maestro - Jumbo Hotfix Accumulator for R80.20SP - Take_105 (and higher).
- SMB (600/700/900/1100/1200R/1400) - Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
- High End (R76SP) - Jumbo Hotfix Accumulator for R76SP.50 - Take_196 (and higher) .
- CloudGuard for AWS / Azure / Google Cloud Platform:
If you have applied the mitigation below, it is advised to reverse it after installing the fix.
To reverse, run:
echo 1 > /proc/sys/net/ipv4/tcp_sack
If you added the "#Disable TCP SACK" lines suggested below for making the changes persistent after reboot, remove them after installing the fix.
Until a code fix is available for the release you are using, it is advised to disable the TCP SACK feature system wise, at least for internet-facing machines.
Log in to Expert mode and run the following:
echo 0 > /proc/sys/net/ipv4/tcp_sack
In order to make the change persistent after reboot, add the following lines in /etc/rc.local (for SMB /pfrm2.0/etc/platformInit should be used instead of /etc/rc.local):
#Disable TCP SACK
sysctl -w net.ipv4.tcp_sack=0
Note: Disabling SACK can have an impact on performance (depending on the packet-loss rate) for the local connections only.
Scalable Platforms Appliances
For Scalable Platform Appliances (41000, 44000, 61000, 64000) use the following procedure:
- # g_all "echo 0 > /proc/sys/net/ipv4/tcp_sack"
- # cp /etc/rc.local /etc/rc.local.BKP
- # vi /etc/rc.local and add:
#Disable TCP SACK
sysctl -w net.ipv4.tcp_sack=0
- # asg_cp2blades /etc/rc.local