On June 17, 2019, Netflix released a security bulletin about vulnerabilities in the Linux and FreeBSD kernels. Here we will only discuss the vulnerabilities affecting the Linux kernel and how to apply the mitigations with
The vulnerabilities discussed are: CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.
Netflix mentions patches and a choice of mitigations. Here we discuss only type of mitigation.
In the Netflix bulletin, we have mentions of
iptables. And fortunately,
ufw does take care if this for us, albeit in a non-obvious way. The
ufw config files are kept in
/etc/ufw and that’s where we find
So we edit
sysctl.conf first, and make sure
tcp_sack is set to zero.
## Setting this to zero to mitigate CVE-2019-11477, CVE-2019-11478. net/ipv4/tcp_sack=0
Additionally, we can explicitly set the
tcp_mtu_probing to zero, but that’s probably not necessary.
## Setting this to zero to mitigate CVE-2019-11479. net/ipv4/tcp_mtu_probing=0
Then, we edit
before.rules and add a firewall rule to drop small MSS packets, right after we accept everything on the loopback.
# allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT ## Mitigate CVE-2019-11479. -A ufw-before-input -p tcp -m tcpmss --mss 1:500 -j DROP
Finally, we reload the
ufw to enable the new settings.
Disclaimer. I hope I got everything right, and these mitigations actually do work. In the event I misunderstood the Netflix recommendations and/or misapplied anything, I waive all responsibility. You are after all responsible for your own system.