CVE-2019-11479

Priority
Description
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded
to 48 bytes. This allows a remote peer to fragment TCP resend queues
significantly more than if a larger MSS were enforced. A remote attacker
could use this to cause a denial of service. This has been fixed in stable
kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed
in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and
5f3e2bf008c2221478101ee72f5cb4654b9fc363.
Ubuntu-Description
Jonathan Looney discovered that the Linux kernel could be coerced into
segmenting responses into multiple TCP segments. A remote attacker
could construct an ongoing sequence of requests to cause a denial of
service.
Mitigation
This can be mitigated by dropping all packets which specify a too small
MSS value. For example, to only allow MSS values of greater than 500
bytes, an iptables rule can be specified as:
sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
Note: this will only take effect if the net.ipv4.tcp_mtu_probing sysctl is
disabled as well.
Assigned-to
tyhicks
Notes
tyhicksThis issue is primarily due to the TCP spec not defining a minimum
value for the Minimum Segment Size (MSS). The Linux kernel cannot safely put
a restriction on the MSS because it may break valid TCP connections. This
issue will be addressed by allowing a system administrator to raise the
smallest acceptable MSS value but there will be no default mitigation by
default.
Package
Source: linux (LP Ubuntu Debian)
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):ignored (was needed ESM criteria)
Ubuntu 14.04 ESM (Trusty Tahr):ignored (was needed ESM criteria)
Ubuntu 16.04 LTS (Xenial Xerus):released (4.4.0-154.181)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-54.58)
Patches:
Break-fix:-
Break-fix:-
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (4.4.0-1048.52)
Ubuntu 16.04 LTS (Xenial Xerus):released (4.4.0-1087.98)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1043.45)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-1043.45~16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (4.15.0-1049.54~14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-1049.54)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.18.0-1023.24~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-1049.54)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.18.0-1023.24~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (was needed now end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (abandoned)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-1036.38~16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1036.38)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (4.18.0-1015.16~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1036.38)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (5.0.0-1011.11~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-54.58~16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.18.0-25.26~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-54.58~16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (5.0.0-20.21~18.04.1)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.4.0-1051.58)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1038.38)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):ignored (was needed ESM criteria)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (4.4.0-154.181~14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (abandoned)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (was needed now end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1045.50)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.15.0-1017.19~16.04.2)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1017.19)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.4.0-1114.123)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1040.43)
Package
Upstream:released (5.2~rc6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (4.4.0-1118.124)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.15.0-1057.62)
More Information

Updated: 2020-10-15 02:27:03 UTC (commit c422c0bce0600d2a0b7af63177d967cd3f564a78)