Proxmox and SACK attack - CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

elchorizo

New Member
Feb 14, 2019
5
0
1
45
Haven't seen any mention about preventing the newly released SACK attack on Proxmox hosts. Is upgrading the Proxmox server enough to cover the VM's or do they need to all be upgraded as well?

Would an IP Tables solution like the following protect all VM's on the host machine?

https://news.ycombinator.com/item?id=20205566

Code:
   iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 640:65535 -j DROP

results...

iptables -L -n -v -t raw | grep mss 
   84719 3392K DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 tcpmss match !640:65535
 
Haven't seen any mention about preventing the newly released SACK attack on Proxmox hosts
See:
https://forum.proxmox.com/threads/crash-any-proxmox-if-you-can-open-tcp-session.55239/#post-254249

Just upgrade the host, the kernel with the fixes is available in all our Proxmox VE 5 repositories.

Would an IP Tables solution like the following protect all VM's on the host machine?

All those which would come through the interface eth0.
 
Which version is the minimal fixed version #?

pve-kernel-4.15.18-16-pve amd64 4.15.18-41 [52.5 MB]
pve-kernel-4.15.18-12-pve amd64 4.15.18-36 [52.5 MB]

during a single update, want to be sure which of my other hosts need upgrading.

pve-kernel-4.15.18-16-pve amd64 4.15.18-41
 
For the benefit of those trying to find this advice via a web search, here are the relevant CVEs:

CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)
 
For the benefit of those trying to find this advice via a web search, here are the relevant CVEs:

CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)

Thanks, also edited the CVE IDs into this thread title.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!