store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 25, 2019 1:00 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: SACK
Unread postPosted: Thu Jun 20, 2019 12:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 319
Are the SACK panic related vulnerabilities an issue with ASL kernels? If not, which versions are immune? If so, when is an update expected?

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Thu Jun 20, 2019 4:33 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL:

FW_MSS_DROP="yes"

ASL has always been immune to this kind of attack, for many many years if this is enabled.

If youre not using ASL, then you want to check to see if you have TSO or GSO enabled:

ethtool -k eth0 | egrep "tcp|gso|generic"

You can disable this with the same tool.

Or you can disable Selective ACK with this command:

echo 0 > /proc/sys/net/ipv4/tcp_sack

A new kernel will be available tomorrow should you wish to use TSO or GSO and dont want to use ASLs MSS protection (theres no reason not to use this protection).

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Tue Jun 25, 2019 3:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 319
Mike:

Thanks for the explanation. From what I recall the MSS setting defaults to no on a fresh ASL install so many may not have it enabled. Perhaps it should default to yes moving forward?


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Wed Jun 26, 2019 5:55 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Thu Jun 27, 2019 4:20 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 319
Thanks. The wiki could use an update as it has:

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: no

https://wiki.atomicorp.com/wiki/index.p ... W_MSS_DROP

versus

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: yes

(for some odd reason can't update as my email isn't validating).


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Tue Jul 02, 2019 12:54 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 319
What table in iptables is the mss rule added to? At present, after enabling, I'm not seeing a rule added (restarted the firewall, ran asl -s -f, rebooted the box etc., all the usuals JIC to make sure it was active).


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Fri Jul 05, 2019 2:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
Its not added into a table, it changes kernel settings.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: SACK
Unread postPosted: Tue Jul 09, 2019 2:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 319
Thank you. What would be the best way to test that all is protecting as it should?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group