TCP SACK PANIC (CVE-2019-11477/11478/11479) mitigation via Puppet

Posted on by

Redhat have provided a nice write-up here : https://access.redhat.com/security/vulnerabilities/tcpsack and this includes mitigations which you can use for until you can reboot hosts to use a newer kernel including the required patch.

Here’s a Puppet manifest which enables those mitigations (requires module herculesteam/augeasproviders_sysctl from the Puppet Forge) :

# CVE-2019-11477 fix until reboots can occur
# https://access.redhat.com/security/vulnerabilities/tcpsack for description and mitigations

class profile::security_workarounds::cve_2019_11477 {
  sysctl { 'net.ipv4.tcp_sack':
    ensure  => present,
    value   => '0',
    persist => true,
    comment => 'Mitigate issue CVE-2019-11477 and CVE-2019-11478 via sysctl',
  }

  # iptables can also mitigate CVE-2019-11479
  #iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
  firewall { '009 drop new connections with low MSS sizes (CVE-2019-11477,11478,11479)':
    chain     => 'INPUT',
    proto     => 'tcp',
    action    => 'drop',
    tcp_flags => 'SYN SYN',
    mss       => '1:500',
  }
  #ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
  firewall { '009 ipv6 drop new connections with low MSS sizes (CVE-2019-11477,11478,11479)':
    chain     => 'INPUT',
    proto     => 'tcp',
    action    => 'drop',
    tcp_flags => 'SYN SYN',
    mss       => '1:500',
    provider  => 'ip6tables',
  }
}

You can of course pick between the `sysctl` and `iptables` versions as necessary for your environment, but the sysctl version doesn’t mitigate against CVE-2019-11479.

Obviously, the best long-term solution is still to upgrade the kernel!