CVE-2019-11477 aka SACK

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 135
Location: SF Bay Area

PostPosted: Wed Jun 19, 2019 17:33    Post subject: CVE-2019-11477 aka SACK Reply with quote
I inserted the rule below using the GUI Admin->Commands->firewall, then 'save firewall'.
Code:
iptables -I INPUT 2 -p tcp -m tcpmss --mss 1:500 -j DROP

Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/iptables.txt

Update: The iptables rule above is the only solution available to releases LESS THAN 40058, eg, all older installs. Unless you compile your own of course.

Redhat has further modified the above Netflix mitigation:
https://access.redhat.com/security/vulnerabilities/tcpsack
Code:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP


Last edited by lazardo on Thu Jun 20, 2019 22:19; edited 2 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Wed Jun 19, 2019 17:43    Post subject: Reply with quote
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md <-- actual advisories, which give workarounds and kernel patches.
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Wed Jun 19, 2019 19:26    Post subject: Reply with quote
Fyi - CVE-2019-11478 is in r40058 (and r40060). And there is also CVE-2019-11479, fwiw.
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Jun 20, 2019 2:10    Post subject: Reply with quote
jwh7 wrote:
Fyi - CVE-2019-11478 is in r40058 (and r40060). And there is also CVE-2019-11479, fwiw.


I didn't look at the patches close enough, thanks for the confirm.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu Jun 20, 2019 10:17    Post subject: Reply with quote
Code:
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum