Written by Jan Otte, Thursday 20 June 2019

This security advisory is a reaction on the recently discovered network vulnerabilities in Linux kernel (see below on particular names and links).

These vulnerabilities can, under certain circumstances, be used by an attacker against a range of our routers running current firmware (6.1.9) with the potential result of the router rebooting.

We have already prepared a patch which closes the vulnerabilities. The patch will be included in future firmware versions (6.1.10, 6.2.0) when these are released.

Until the new firmware versions are available, you may apply any of the recommended workaround. The easiest workaround (and also the recommended one) is to disable SACK processing by issuing this command:

echo 0 > /proc/sys/net/ipv4/tcp_sack

Note that the command will affect the settings until reboot. If you want the effect to last over reboot (recommended) you should add the command also to the startup script.

The command disables SACK processing. The impact of disabling SACK processing would not be noticed unless in some corner cases. If you find out that the device performance or throughput is affected considerably, you may try another workaround (please go through the linked articles). Please do not forget to contact support in that case. We will inspect your case and try to find more convenient workaround for your particular setup.

The vulnerabilities discovered are formed in three CVEs:

1. CVE-2019-11477 aka SACK Panic, that impacts Linux kernel version 2.6.29 and newer. This could possibly lead to kernel panic (resulting in router restart after short time).
2. CVE-2019-11478 aka SACK Slowness, that impacts Linux kernel version prior to 4.15. This could lead to slowing down the retransmission of TCP sequences (frames).
3. CVE-2019-11479, that impacts all Linux kernel version. This could lead to excessive resource consumption and effectively to a denial of service.

Links:

• SA - Netflix (original)
• SA - RedHat