SACKPanic Linux Kernel Vuneralbility

[JDB]

So I'm assuming both stock and Merlin FW is susceptible to this attack, and that @RMerlin will fix it soon/first if it is?

https://betanews.com/2019/06/18/linux-sack-panic/

 

[Jack Yaz]

So I'm assuming both stock and Merlin FW is susceptible to this attack, and that @RMerlin will fix it soon/first if it is?

https://betanews.com/2019/06/18/linux-sack-panic/

Should be easily fixable now with

echo 0 > /proc/sys/net/ipv4/tcp_sack

assuming the firmware is vulnerable

(edit: it's set to 1 on my 86u, so ive added the code above to init-start so i dont forget to re-apply after a reboot)

 

[JDB]

Should be easily fixable now with

echo 0 > /proc/sys/net/ipv4/tcp_sack

assuming the firmware is vulernable

Thanks - yea I've done that on some of my other servers which I can't upgrade the kernel on in short order. Should probably do it on my router as well!

 

[ColinTaylor]

There's already a thread about this here.

I can't say I'm going to lose any sleep over this. But then I'm not running any public facing web services, let alone any "high profile" enough to be of interest to anybody.

Crucially, in order to remotely crash or knacker your computer or gadget, a miscreant must be able to open a connection to the Linux-powered device: this is possible if the machine is running something like a web server, a SSH daemon, or some other TCP-based service. If your device is not listening on any TCP ports, it will be virtually impossible to exploit.

So, not great, not terrible; it's an annoyance that could disrupt websites and similar services on the internet if script kiddies start firing off waves of exploits at vulnerable machines.

 

[JDB]

There's already a thread about this here.

I can't say I'm going to lose any sleep over this. But then I'm not running any public facing web services, let alone any "high profile" enough to be of interest to anybody.

Ah, I searched for SACKPanic but it didn’t bring that thread up.
Yea it’s a fringe case for a home user, but there’ll be a load of people attempting it at all sorts of IP’s now it’s known! I don’t expose any TCP ports publicly on the router anyway I don’t think so even more unlikely to be attacked.


Sent from my iPhone using Tapatalk

 

[underdose]

Should be easily fixable now with

echo 0 > /proc/sys/net/ipv4/tcp_sack

assuming the firmware is vulnerable

(edit: it's set to 1 on my 86u, so ive added the code above to init-start so i dont forget to re-apply after a reboot)

I've read that the iptables command below is a better solution.

iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

I would say that the iptables rule is a 'better' solution than dropping sack as you may find you use significantly more CPU/bandwidth when dealing with retransmits when not using selective acknowledgements.

See the discussion here:
https://news.ycombinator.com/item?id=20205566

 

[RMerlin]

and that @RMerlin will fix it soon/first if it is?

Sure, you got kernel patches for kernels 2.6.36, 4.1.27 and 4.1.51?

 

[JDB]

Sure, you got kernel patches for kernels 2.6.36, 4.1.27 and 4.1.51?

It appears patches for 2 of the 3 related CVE’s already exist and one for the 3rd is en route very shortly.

I wasn’t suggesting you were to fix the kernel yourself, simply integrate the fix once it is available (likely quicker that Asus will).

Not sure what the wise crack remark was for?


Sent from my iPhone using Tapatalk

 

[RMerlin]

It appears patches for 2 of the 3 related CVE’s already exist and one for the 3rd is en route very shortly.

Those patches do not work on older kernels, hence my reply.

Not sure what the wise crack remark was for?

I'm sorry, it just gets frustrating when that very same question gets asked every single time a new security issue appears, as if suddenly it was a matter of national emergency, and that I never patched any security issues.

I will have to answer that same question probably 2-4 times on the forums (because people don't read existing posts before asking questions), 2-3 times on Twitter, and 2-3 times in emails.

If you check only today's posts, you will see that, yet again, someone asked if I had patched the security issues included in Asus's 45717 release. On these forums alone that must be the fourth time that question got asked.

Yes, as you can image, it gets annoying after the 10th time.

 

[dave14305]

Those patches do not work on older kernels, hence my reply.



I'm sorry, it just gets frustrating when that very same question gets asked every single time a new security issue appears, as if suddenly it was a matter of national emergency, and that I never patched any security issues.

I will have to answer that same question probably 2-4 times on the forums (because people don't read existing posts before asking questions), 2-3 times on Twitter, and 2-3 times in emails.

If you check only today's posts, you will see that, yet again, someone asked if I had patched the security issues included in Asus's 45717 release. On these forums alone that must be the fourth time that question got asked.

Yes, as you can image, it gets annoying after the 10th time.

Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

People are people.

 

[gattaca]

^^^^ RMerlin, I imagine you have the makings of a good instructor / teacher!

 

[joe scian]

People are people.

people are dumb too and stupid - they are all catered for on this forum ! Mostly with humble aplomb.