Proxmox and SACK attack - CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

E

elchorizo

New Member
Feb 14, 2019
5
0
1
46
Haven't seen any mention about preventing the newly released SACK attack on Proxmox hosts. Is upgrading the Proxmox server enough to cover the VM's or do they need to all be upgraded as well?

Would an IP Tables solution like the following protect all VM's on the host machine?

https://news.ycombinator.com/item?id=20205566

Code: 
   iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 640:65535 -j DROP

results...

iptables -L -n -v -t raw | grep mss 
   84719 3392K DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 tcpmss match !640:65535
 
elchorizo said:
Haven't seen any mention about preventing the newly released SACK attack on Proxmox hosts
Click to expand...
See:
https://forum.proxmox.com/threads/crash-any-proxmox-if-you-can-open-tcp-session.55239/#post-254249

Just upgrade the host, the kernel with the fixes is available in all our Proxmox VE 5 repositories.

elchorizo said:
Would an IP Tables solution like the following protect all VM's on the host machine?
Click to expand...

All those which would come through the interface eth0.
 
mathx said:
Which version is the minimal fixed version #?

pve-kernel-4.15.18-16-pve amd64 4.15.18-41 [52.5 MB]
pve-kernel-4.15.18-12-pve amd64 4.15.18-36 [52.5 MB]

during a single update, want to be sure which of my other hosts need upgrading.
Click to expand...

pve-kernel-4.15.18-16-pve amd64 4.15.18-41
 
For the benefit of those trying to find this advice via a web search, here are the relevant CVEs:

CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)
 
Andy Buchanan said:
For the benefit of those trying to find this advice via a web search, here are the relevant CVEs:

CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)
Click to expand...

Thanks, also edited the CVE IDs into this thread title.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back