Support Center > Search Results > SecureKnowledge Details
Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
Symptoms
  • Three related flaws were found in the Linux kernel's handling of TCP networking. The most severe vulnerability could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system's availability.

Cause

CVE-2019-11477:

The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could exploit this to crash the system and create a Denial Of Service.

CVE-2019-11478:

The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. This could cause the CPU to spend excessive time attempting to reconstruct the list creating a Denial Of Service.

CVE-2019-11479:

The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. While this attack is ongoing, the system will work at reduced capacity resulting in a Denial Of Service for some users.


Solution

After having inspected the vulnerabilities and relevant patches, the impact to Check Point products is narrowed down to the list below.

Note that Check Point cloud services on relevant platforms were already patched on 18-June-2019.

 

Vulnerability

  • CVE-2019-11477 - The following releases are vulnerable:
    • R80.10 Security Management on Smart-1 appliances 
    • R80.20 Security Management 
    • R80.30 Security Management 
    • R80.20_3.10 (CloudGuard) 
    • R80.30_3.10 (16000/26000) 
    • R80.20SP + Maestro 
    • SMB (700/1400/1200R)

  • CVE-2019-11478 - All Check Point releases are vulnerable (as this already exists in Linux for many years).

  • CVE-2019-11479 - Check Point is not vulnerable to this CVE (Check Point do not compile with the vulnerable code).


The vulnerabilities are relevant for local connections only (established TCP connections to or from the Security Gateway).
Connections going through the Security Gateway for Deep Packet Inspection, and most connections to the Gateway Web Portals are not affected.

 

Fix in code


If you have applied the mitigation below, it is advised to reverse it after installing the fix.
To reverse, run:

echo 1 > /proc/sys/net/ipv4/tcp_sack

If you added the "#Disable TCP SACK" lines suggested below for making the changes persistent after reboot, remove them after installing the fix.

 

Mitigation

Until a code fix is available for the release you are using, it is advised to disable the TCP SACK feature system wise, at least for internet-facing machines.

Log in to Expert mode and run the following:

echo 0 > /proc/sys/net/ipv4/tcp_sack

In order to make the change persistent after reboot, add the following lines in /etc/rc.local (for SMB /pfrm2.0/etc/platformInit should be used instead of /etc/rc.local):

#Disable TCP SACK
sysctl -w net.ipv4.tcp_sack=0


Note: Disabling SACK can have an impact on performance (depending on the packet-loss rate) for the local connections only.

 

Scalable Platforms Appliances

For Scalable Platform Appliances (41000, 44000, 61000, 64000) use the following procedure:

  1. # g_all "echo 0 > /proc/sys/net/ipv4/tcp_sack"

  2. # cp /etc/rc.local /etc/rc.local.BKP

  3. # vi /etc/rc.local and add:

    #Disable TCP SACK
    sysctl -w net.ipv4.tcp_sack=0

  4. # asg_cp2blades /etc/rc.local

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment