Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard manipulation

Bug #1831638 reported by Tyler Hicks
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

Jonathan Looney discovered that a remote attacker could cause a denial of service (resource exhaustion) via a maliciously crafted sequence of TCP SACKs.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-52.56

---------------
linux (4.15.0-52.56) bionic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 17:33:24 -0300

Changed in linux (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.18.0-22.23

---------------
linux (4.18.0-22.23) cosmic; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 04 Jun 2019 15:23:00 -0300

Changed in linux (Ubuntu Cosmic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu Disco):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-151.178

---------------
linux (4.4.0-151.178) xenial; urgency=medium

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs
    - SAUCE: tcp: fix fack_count accounting on tcp_shift_skb_data()

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

 -- Stefan Bader <email address hidden> Tue, 11 Jun 2019 09:36:19 +0200

Changed in linux (Ubuntu Xenial):
status: New → Fix Released
Tyler Hicks (tyhicks)
information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This bug report represents CVE-2019-11478

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-17.18

---------------
linux (5.0.0-17.18) disco; urgency=medium

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs

 -- Stefan Bader <email address hidden> Tue, 04 Jun 2019 17:22:50 +0200

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Ubuntu 14.04 ESM's base kernel was fixed with version 3.13.0-171.222.
Ubuntu 12.04 ESM's base kernel was fixed with version 3.2.0-141.188.

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
tags: added: verification-needed-cosmic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers