Are the SACK panic related vulnerabilities an issue with ASL kernels? If not, which versions are immune? If so, when is an update expected?
Thanks!
SACK
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: SACK
Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL:
FW_MSS_DROP="yes"
ASL has always been immune to this kind of attack, for many many years if this is enabled.
If youre not using ASL, then you want to check to see if you have TSO or GSO enabled:
ethtool -k eth0 | egrep "tcp|gso|generic"
You can disable this with the same tool.
Or you can disable Selective ACK with this command:
echo 0 > /proc/sys/net/ipv4/tcp_sack
A new kernel will be available tomorrow should you wish to use TSO or GSO and dont want to use ASLs MSS protection (theres no reason not to use this protection).
FW_MSS_DROP="yes"
ASL has always been immune to this kind of attack, for many many years if this is enabled.
If youre not using ASL, then you want to check to see if you have TSO or GSO enabled:
ethtool -k eth0 | egrep "tcp|gso|generic"
You can disable this with the same tool.
Or you can disable Selective ACK with this command:
echo 0 > /proc/sys/net/ipv4/tcp_sack
A new kernel will be available tomorrow should you wish to use TSO or GSO and dont want to use ASLs MSS protection (theres no reason not to use this protection).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: SACK
On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: SACK
Thanks. The wiki could use an update as it has:
=== FW_MSS_DROP ===
Note: This option is available in ASL 4.x and up.
This will detect and drop packets that have an invalid MSS.
Default: no
https://wiki.atomicorp.com/wiki/index.p ... W_MSS_DROP
versus
=== FW_MSS_DROP ===
Note: This option is available in ASL 4.x and up.
This will detect and drop packets that have an invalid MSS.
Default: yes
(for some odd reason can't update as my email isn't validating).
=== FW_MSS_DROP ===
Note: This option is available in ASL 4.x and up.
This will detect and drop packets that have an invalid MSS.
Default: no
https://wiki.atomicorp.com/wiki/index.p ... W_MSS_DROP
versus
=== FW_MSS_DROP ===
Note: This option is available in ASL 4.x and up.
This will detect and drop packets that have an invalid MSS.
Default: yes
(for some odd reason can't update as my email isn't validating).
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: SACK
Its not added into a table, it changes kernel settings.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone