SACK Panic And SACK Slowness Kernel Vulnerabilities Affecting To VMware

SACK Panic And SACK Slowness Kernel Vulnerabilities Affecting To VMware

There are many VMware Products affected with recently disclosed linux kernel vulnerability called SACK Panic and SACK Slowness, VMware has released the VMSA-2019-0010 Security Advisory for this vulnerability. These vulnerabilities could be exploited by a remote attacker who does not authenticated, by a so called “Denial-Of-Service” (DoS) attack and it could reboot the vulnerable systems.

At the time of writing this article, VMware only issued the security updates for SD-WAN, Unified Access Gateway, and vCenter Server Appliance (VCSA).

VMware also provide some workaround to protect these vulnerable systems with modifying the in-built firewall to block the incoming connections with a low MSS Value or disabling the SACK. This is possible as soon as remote attacker opens a connection with a TCP protocol

Below VMware Products Have Been Impacted:

  • AppDefense
  • Container Service Extension
  • Enterprise PKS
  • Horizon
  • Horizon DaaS 
  • Hybrid Cloud Extension
  • Identity Manager
  • Integrated OpenStack
  • NSX for vSphere
  • NSX-T Data Center
  • Pulse Console
  • SD-WAN Edge by VeloCloud
  • SD-WAN Gateway by VeloCloud
  • SD-WAN Orchestrator by VeloCloud
  • Skyline Collector
  • Unified Access Gateway
  • vCenter Server Appliance
  • vCloud Availability Appliance
  • vCloud Director For Service Providers
  • vCloud Usage Meter
  • vRealize Automation
  • vRealize Business for Cloud
  • vRealize Code Stream
  • vRealize Log Insight
  • vRealize Network Insight
  • vRealize Operations Manager
  • vRealize Orchestrator Appliance
  • vRealize Suite Lifecycle Manager
  • vSphere Data Protection
  • vSphere Integrated Containers
  • vSphere Replication

VMware KB 70900 released to protect the VMware vCloud Director for Service Provider 9.7.x and 9.5.x versions.

Below Separate Issues Were Identified With Regard To This:

  • CVE-2019-11477: SACK PANIC
    • A sequence of SACKs created by an attacker can trigger integer flow which leads to a kernel panic
  • CVE-2019-11478: SACK Slowness or Excess Resource Usage
    • A sequence of SACKs which will fragmented the TCP re-transmission queue to cause an expensive linked-list walk for subsequent SACKS received for that same TCP connection

Apply Workarounds :

Block Connections with a low MSS (workaround 1):

If attacker is using small MSS this iptables rule will drop the TCP SYN packets. This will block connection establishment and block the attack

Note: This will break legitimate connections which rely on a low MSS

iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Disable SACK Processing (workaround 2):

Disable selective acknowledgements system wide for all newly established TCP connections. SSH in to the appliance and execute the below command, please note that this is for the temporary solution until your next reboot.

Note: This will cause a slow down in the processing of TCP connections

echo 0 > /proc/sys/net/ipv4/tcp_sack 

To make it persist after the reboot create a file in /etc/sysctl.d/ such as/etc/sysctl.d/99-tcpsack.conf – with the below content

# CVE-2019-11477 & CVE-2019-11478 

To remove the applied changes execute the below command and it is also a temporary change until next reboot

echo 1 > /proc/sys/net/ipv4/tcp_sack

To permanently remove it delete the created file /etc/sysctl.d (ex: /etc/sysctl.d/99-tcpsack.conf)

Disclaimer: Please note that above changes are not tested and verified by the author and please do it by your own risk!


Click to rate this post!
[Total: 3 Average: 5]

Leave a Reply

Your email address will not be published. Required fields are marked *