CVE-2019-11477

Description

Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v2.0•HIGH•Score: 7.8AV:N/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 69.92%• Percentile: 99%

Techniques & Countermeasures

• CWE-190•Integer Overflow or Wraparound

  The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04 | 18.10 | 19.04

• f5•big-ip_access_policy_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_advanced_firewall_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_analytics

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_application_acceleration_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_application_security_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_domain_name_system

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_edge_gateway

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_fraud_protection_service

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_global_traffic_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_link_controller

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_local_traffic_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_policy_enforcement_manager

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•big-ip_webaccelerator

  ≥ 11.5.2, ≤ 11.6.4 | ≥ 12.1.0, ≤ 12.1.4 | ≥ 13.1.0, ≤ 13.1.1 | ≥ 14.0.0, ≤ 14.1.0 | 15.0.0

• f5•traffix_signaling_delivery_controller

  ≥ 5.0.0, ≤ 5.1.0

• ivanti•connect_secure

  na

• linux•linux_kernel

  ≥ 2.6.29, < 3.16.69 | ≥ 3.17, < 4.4.182 | ≥ 4.5, < 4.9.182 | ≥ 4.10, < 4.14.127 | ≥ 4.15, < 4.19.52 | ≥ 4.20, < 5.1.11 | ≥ 4.4, < 4.4.182 | ≥ 4.9, < 4.9.182 | ≥ 4.14, < 4.14.127 | ≥ 4.19, < 4.19.52 | ≥ 5.1, < 5.1.11

• pulsesecure•pulse_policy_secure

  na

• pulsesecure•pulse_secure_virtual_application_delivery_controller

  na

• redhat•enterprise_linux

  5.0 | 6.0 | 7.0 | 8.0

• redhat•enterprise_linux_atomic_host

  na

• redhat•enterprise_linux_aus

  6.5 | 6.6

• redhat•enterprise_linux_eus

  7.4 | 7.5

• redhat•enterprise_mrg

  2.0

References (29)

• https://www.kb.cert.org/vuls/id/905115
• http://www.openwall.com/lists/oss-security/2019/06/20/3
• https://access.redhat.com/errata/RHSA-2019:1594
• https://access.redhat.com/errata/RHSA-2019:1602
• http://www.openwall.com/lists/oss-security/2019/06/28/2
• http://www.openwall.com/lists/oss-security/2019/07/06/3
• http://www.openwall.com/lists/oss-security/2019/07/06/4
• https://access.redhat.com/errata/RHSA-2019:1699
• http://www.openwall.com/lists/oss-security/2019/10/24/1
• http://www.openwall.com/lists/oss-security/2019/10/29/3
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff
• https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
• https://access.redhat.com/security/vulnerabilities/tcpsack
• https://support.f5.com/csp/article/K78234183
• http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193
• https://www.synology.com/security/advisory/Synology_SA_19_28
• https://security.netapp.com/advisory/ntap-20190625-0001/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0006
• https://kc.mcafee.com/corporate/index?page=content&id=SB10287
• http://www.vmware.com/security/advisories/VMSA-2019-0010.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf
• https://www.us-cert.gov/ics/advisories/icsa-19-253-03
• http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html
• http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-kernel-en
• http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt