Archive for the ‘Ansible’ Category

SACK Panic – CVE-2019-11477 – Multiple TCP-based remote denial of service

junio 18, 2019 Deja un comentario

Se ha detectado una nueva vulnerabilidad en Linux

Red Hat ha liberado un script para ver si nuestors sistemas están afectados:–

Para mitigar la vulnerabilidad podemos aplicar alguno de los siguientes parches:

Option #1
Disable selective acknowledgments system wide for all newly established TCP connections.

# echo 0 > /proc/sys/net/ipv4/tcp_sack


# sysctl -w net.ipv4.tcp_sack=0

This option will disable selective acknowledgements but will likely increase the bandwidth required to correctly complete streams when errors occur.
To make this option persist across reboots, create a file in /etc/sysctl.d/ such as /etc/sysctl.d/99-tcpsack.conf - with content:

# CVE-2019-11477 & CVE-2019-11478

Option #2 Mitigates CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 by preventing new connections made with low MSS sizes.

The default firewall configuration on Red Hat Enterprise Linux 7 and 8 is firewalld. To prevent new connections with low MSS sizes using firewalld use the commands.

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# firewall-cmd --reload
# firewall-cmd --permanent --direct --get-all-rules

This firewall-cmd command will remain persistent through system reboots.
If using the traditional iptables firewalling method on any version of Red Hat Enterprise Linux, iptables equivalent command is:

# iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

# iptables -nL -v
# ip6tables -nL -v

Instalamos las dependencias del Playbook para poder configurar las reglas de IPTABLES permanentemente:

mkdir -p ~/.ansible/plugins/modules

wget -O ~/.ansible/plugins/modules/

Playbook de Ansible para mitigarlo:


- name: Configure CVE-2019-11477 rule
hosts: all
- name: "IPTABLES_RAW | Secure CVE-2019-11477"
name: "CVE-2019-11477"
rules: '-A INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP'