There are many VMware Products affected with recently disclosed linux kernel vulnerability called SACK Panic and SACK Slowness, VMware has released the VMSA-2019-0010 Security Advisory for this vulnerability. These vulnerabilities could be exploited by a remote attacker who does not authenticated, by a so called “Denial-Of-Service” (DoS) attack and it could reboot the vulnerable systems.
At the time of writing this article, VMware only issued the security updates for SD-WAN, Unified Access Gateway, and vCenter Server Appliance (VCSA).
VMware also provide some workaround to protect these vulnerable systems with modifying the in-built firewall to block the incoming connections with a low MSS Value or disabling the SACK. This is possible as soon as remote attacker opens a connection with a TCP protocol
Below VMware Products Have Been Impacted:
- AppDefense
- Container Service Extension
- Enterprise PKS
- Horizon
- Horizon DaaS
- Hybrid Cloud Extension
- Identity Manager
- Integrated OpenStack
- NSX for vSphere
- NSX-T Data Center
- Pulse Console
- SD-WAN Edge by VeloCloud
- SD-WAN Gateway by VeloCloud
- SD-WAN Orchestrator by VeloCloud
- Skyline Collector
- Unified Access Gateway
- vCenter Server Appliance
- vCloud Availability Appliance
- vCloud Director For Service Providers
- vCloud Usage Meter
- vRealize Automation
- vRealize Business for Cloud
- vRealize Code Stream
- vRealize Log Insight
- vRealize Network Insight
- vRealize Operations Manager
- vRealize Orchestrator Appliance
- vRealize Suite Lifecycle Manager
- vSphere Data Protection
- vSphere Integrated Containers
- vSphere Replication
VMware KB 70900 released to protect the VMware vCloud Director for Service Provider 9.7.x and 9.5.x versions.
Below Separate Issues Were Identified With Regard To This:
- CVE-2019-11477: SACK PANIC
- A sequence of SACKs created by an attacker can trigger integer flow which leads to a kernel panic
- CVE-2019-11478: SACK Slowness or Excess Resource Usage
- A sequence of SACKs which will fragmented the TCP re-transmission queue to cause an expensive linked-list walk for subsequent SACKS received for that same TCP connection
Apply Workarounds :
Block Connections with a low MSS (workaround 1):
If attacker is using small MSS this iptables rule will drop the TCP SYN packets. This will block connection establishment and block the attack
Note: This will break legitimate connections which rely on a low MSS
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROPDisable SACK Processing (workaround 2):
Disable selective acknowledgements system wide for all newly established TCP connections. SSH in to the appliance and execute the below command, please note that this is for the temporary solution until your next reboot.
Note: This will cause a slow down in the processing of TCP connections
echo 0 > /proc/sys/net/ipv4/tcp_sack To make it persist after the reboot create a file in /etc/sysctl.d/ such as/etc/sysctl.d/99-tcpsack.conf – with the below content
# CVE-2019-11477 & CVE-2019-11478
net.ipv4.tcp_sack=0To remove the applied changes execute the below command and it is also a temporary change until next reboot
echo 1 > /proc/sys/net/ipv4/tcp_sackTo permanently remove it delete the created file /etc/sysctl.d (ex: /etc/sysctl.d/99-tcpsack.conf)
Disclaimer: Please note that above changes are not tested and verified by the author and please do it by your own risk!
