Tag Archives: security

Mitigating Linux TCP Vulnerabilities with UFW

On June 17, 2019, Netflix released a security bulletin about vulnerabilities in the Linux and FreeBSD kernels. Here we will only discuss the vulnerabilities affecting the Linux kernel and how to apply the mitigations with ufw.

The vulnerabilities discussed are: CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.

Netflix mentions patches and a choice of mitigations. Here we discuss only type of mitigation.

In the Netflix bulletin, we have mentions of sysctl and iptables. And fortunately, ufw does take care if this for us, albeit in a non-obvious way. The ufw config files are kept in /etc/ufw and that’s where we find before.rules and sysctl.conf.

So we edit sysctl.conf first, and make sure tcp_sack is set to zero.

## Setting this to zero to mitigate CVE-2019-11477, CVE-2019-11478.
net/ipv4/tcp_sack=0

Additionally, we can explicitly set the tcp_mtu_probing to zero, but that’s probably not necessary.

## Setting this to zero to mitigate CVE-2019-11479.
net/ipv4/tcp_mtu_probing=0

Then, we edit before.rules and add a firewall rule to drop small MSS packets, right after we accept everything on the loopback.

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

## Mitigate CVE-2019-11479.
-A ufw-before-input -p tcp -m tcpmss --mss 1:500 -j DROP

Finally, we reload the ufw to enable the new settings.

ufw reload

Disclaimer. I hope I got everything right, and these mitigations actually do work. In the event I misunderstood the Netflix recommendations and/or misapplied anything, I waive all responsibility. You are after all responsible for your own system.

Remember to Delete the Root Password from Your History File

Ok, so you accidentally type in the root password before using su -.

$ ThisIsMyRootPassword

Now you have to remember to delete it from your history file. This is somewhat non-obvious, because the history file is typically saved on successful exit.

So if you immediately do something like this.

$ tail -2 ~/.bash_history
ssh somehost
su -

There’s nothing suspicious in the history file.

So, log out, then log back in. Typically that means closing your ssh session, or terminal tab, and open a new session.

Now you see the password in the history file.

$ tail -2 ~/.bash_history
su -
ThisIsMyRootPassword

So fire up an editor and delete the line.