Author Archives: david.gardner

TCP SACK PANIC (CVE-2019-11477/11478/11479) mitigation via Puppet

Posted on by

Redhat have provided a nice write-up here : https://access.redhat.com/security/vulnerabilities/tcpsack and this includes mitigations which you can use for until you can reboot hosts to use a newer kernel including the required patch.

Here’s a Puppet manifest which enables those mitigations (requires module herculesteam/augeasproviders_sysctl from the Puppet Forge) :

# CVE-2019-11477 fix until reboots can occur
# https://access.redhat.com/security/vulnerabilities/tcpsack for description and mitigations

class profile::security_workarounds::cve_2019_11477 {
  sysctl { 'net.ipv4.tcp_sack':
    ensure  => present,
    value   => '0',
    persist => true,
    comment => 'Mitigate issue CVE-2019-11477 and CVE-2019-11478 via sysctl',
  }

  # iptables can also mitigate CVE-2019-11479
  #iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
  firewall { '009 drop new connections with low MSS sizes (CVE-2019-11477,11478,11479)':
    chain     => 'INPUT',
    proto     => 'tcp',
    action    => 'drop',
    tcp_flags => 'SYN SYN',
    mss       => '1:500',
  }
  #ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
  firewall { '009 ipv6 drop new connections with low MSS sizes (CVE-2019-11477,11478,11479)':
    chain     => 'INPUT',
    proto     => 'tcp',
    action    => 'drop',
    tcp_flags => 'SYN SYN',
    mss       => '1:500',
    provider  => 'ip6tables',
  }
}

You can of course pick between the `sysctl` and `iptables` versions as necessary for your environment, but the sysctl version doesn’t mitigate against CVE-2019-11479.

Obviously, the best long-term solution is still to upgrade the kernel!

Dell C6145 (and presumably other Dell Cloud hosts) IPMItool BMC setup commands

Posted on by

Upgrading the BMC firmware on these hosts resets the settings to default (argh!), which includes:

  • Setting to DHCP for IP source
  • Losing the static IP, netmask and default gateway settings
  • Switching to a “shared” NIC rather than dedicated
    • (This doesn’t appear to be “use dedicated then fall back if not”, just straight to “shared”…)

 

Unfortunately, the various Dell docs don’t make this clear, nor exactly which ipmitool commands to run on a C6145 to set the BMC back to “dedicated” network port usage.

I haven’t tried these on any other Dell Cloud models yet (e.g. C5000, C8000), so I don’t know if they work at all!  Use them at your own risk!

 

Resetting the BMC IP setup is fairly straightforward:

# ipmitool lan set 1 ipsrc static
# ipmitool lan set 1 ipaddr 1.2.3.4
# ipmitool lan set 1 netmask 255.255.255.0
# ipmitool lan set 1 defgw ipaddr 1.2.3.250

Then printing the current config shows the expected configuration:

# ipmitool lan print 1
Set in Progress         : Set Complete
Auth Type Support       : MD2 MD5 PASSWORD
Auth Type Enable        : Callback : MD2 MD5 PASSWORD
                        : User     : MD2 MD5 PASSWORD
                        : Operator : MD2 MD5 PASSWORD
                        : Admin    : MD2 MD5 PASSWORD
                        : OEM      : MD2 MD5 PASSWORD
IP Address Source       : Static Address
IP Address              : 1.2.3.4
Subnet Mask             : 255.255.255.0
MAC Address             : 00:01:02:03:04:05
SNMP Community String   : public
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x08
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 2.0 seconds
Default Gateway IP      : 1.2.3.250
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 0,0,0
Cipher Suite Priv Max   : uaaaXXXXXXXXXXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM

 

However, this doesn’t cover (or display in these settings…) the shared/dedicated setting for the BMC port.

You can find that by running this “raw” ipmitool command:

# ipmitool raw 0x34 0x14
 01

..where 01 means dedicated and 00 means shared.  (In this example we’re obviously already set to dedicated as this is after the fact)

In our case we want dedicated, which is set with this “raw” command:

# ipmitool raw 0x34 0x13 0x01
 01

Then the status command should show 01 as above and the dedicated BMC port will be in use.

 

Then go ahead and reset the BMC with this command:

# ipmitool mc reset cold
Sent cold reset command to MC

This will take a couple of minutes before the BMC is contactable again, but then it should be using the dedicated interface rather than shared, and you can go about your business again, huzzah!

 

Other possibly-useful ipmitool commands

 

References: