Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard manipulation

Bug #1831638 reported by Tyler Hicks on 2019-06-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

Jonathan Looney discovered that a remote attacker could cause a denial of service (resource exhaustion) via a maliciously crafted sequence of TCP SACKs.

CVE References

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-52.56

---------------
linux (4.15.0-52.56) bionic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 17:33:24 -0300

Changed in linux (Ubuntu Bionic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.18.0-22.23

---------------
linux (4.18.0-22.23) cosmic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 15:23:00 -0300

Changed in linux (Ubuntu Cosmic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu Disco):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-151.178

---------------
linux (4.4.0-151.178) xenial; urgency=medium

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs
    - SAUCE: tcp: fix fack_count accounting on tcp_shift_skb_data()

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

 -- Stefan Bader <email address hidden> Tue, 11 Jun 2019 09:36:19 +0200

Changed in linux (Ubuntu Xenial):
status: New → Fix Released
Tyler Hicks (tyhicks) on 2019-06-17
information type: Private Security → Public Security
Tyler Hicks (tyhicks) wrote :

This bug report represents CVE-2019-11478

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) wrote :

Ubuntu 14.04 ESM's base kernel was fixed with version 3.13.0-171.222.
Ubuntu 12.04 ESM's base kernel was fixed with version 3.2.0-141.188.

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
tags: added: verification-needed-cosmic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers