Atomicorp

Are the SACK panic related vulnerabilities an issue with ASL kernels? If not, which versions are immune? If so, when is an update expected?

Thanks!

Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL:

FW_MSS_DROP="yes"

ASL has always been immune to this kind of attack, for many many years if this is enabled.

If youre not using ASL, then you want to check to see if you have TSO or GSO enabled:

ethtool -k eth0 | egrep "tcp|gso|generic"

You can disable this with the same tool.

Or you can disable Selective ACK with this command:

echo 0 > /proc/sys/net/ipv4/tcp_sack

A new kernel will be available tomorrow should you wish to use TSO or GSO and dont want to use ASLs MSS protection (theres no reason not to use this protection).

Mike:

Thanks for the explanation. From what I recall the MSS setting defaults to no on a fresh ASL install so many may not have it enabled. Perhaps it should default to yes moving forward?

On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.

Thanks. The wiki could use an update as it has:

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: no

https://wiki.atomicorp.com/wiki/index.p ... W_MSS_DROP

versus

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: yes

(for some odd reason can't update as my email isn't validating).

What table in iptables is the mss rule added to? At present, after enabling, I'm not seeing a rule added (restarted the firewall, ran asl -s -f, rebooted the box etc., all the usuals JIC to make sure it was active).

Its not added into a table, it changes kernel settings.

Thank you. What would be the best way to test that all is protecting as it should?