Monthly Archives: June 2019
Mitigating Linux TCP Vulnerabilities with UFW
On June 17, 2019, Netflix released a security bulletin about vulnerabilities in the Linux and FreeBSD kernels. Here we will only discuss the vulnerabilities affecting the Linux kernel and how to apply the mitigations with ufw
.
The vulnerabilities discussed are: CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.
Netflix mentions patches and a choice of mitigations. Here we discuss only type of mitigation.
In the Netflix bulletin, we have mentions of sysctl
and iptables
. And fortunately, ufw
does take care if this for us, albeit in a non-obvious way. The ufw
config files are kept in /etc/ufw
and that’s where we find before.rules
and sysctl.conf
.
So we edit sysctl.conf
first, and make sure tcp_sack
is set to zero.
## Setting this to zero to mitigate CVE-2019-11477, CVE-2019-11478. net/ipv4/tcp_sack=0
Additionally, we can explicitly set the tcp_mtu_probing
to zero, but that’s probably not necessary.
## Setting this to zero to mitigate CVE-2019-11479. net/ipv4/tcp_mtu_probing=0
Then, we edit before.rules
and add a firewall rule to drop small MSS packets, right after we accept everything on the loopback.
# allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT ## Mitigate CVE-2019-11479. -A ufw-before-input -p tcp -m tcpmss --mss 1:500 -j DROP
Finally, we reload the ufw
to enable the new settings.
ufw reload
Disclaimer. I hope I got everything right, and these mitigations actually do work. In the event I misunderstood the Netflix recommendations and/or misapplied anything, I waive all responsibility. You are after all responsible for your own system.