CVE-2019-11479

CWE-405 CWE-770 — Allocation without Limits CWE-400 — Uncontrolled Resource Consumption15 documents10 sources

Severity

7.5HIGH

EPSS

13.4%

top 5.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +18 more

Timeline

PublishedJun 19

Latest updateMay 24

Description

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages21 packages

▶CVEListV5linux/linux_kernel4.4 — 4.4.182+4

▶NVDlinux/linux_kernel4.4 — 4.4.182+4

▶NVDf5/big-ip_fraud_protection_service11.5.2 — 11.6.5.1+5

▶Debianlinux< 4.19.37-4+3

▶NVDf5/big-ip_analytics11.5.2 — 11.6.5.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10, 19.04, Enterprise Linux 7.0

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-99cq-xr7g-h22w: Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes↗2022-05-24

▶

OSV

linux-lts-xenial, linux-aws, linux-azure update↗2019-06-29

▶

OSV

CVE-2019-11479: Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes↗2019-06-19

▶

CVEList

CVE-2019-11479: Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes↗2019-06-18

▶

Kernel

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()↗2019-06-08

▶

📋Vendor Advisories

Ubuntu

Linux kernel update↗2019-06-29

▶

Ubuntu

Linux kernel (HWE) update↗2019-06-29

▶

Red Hat

kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service↗2019-06-17

▶

Debian

CVE-2019-11479: linux - Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48...↗2019

▶

🕵️Threat Intelligence

Unit42

TCP SACK Panics Linux Servers↗2019-06-21

▶

Unit42

TCP SACK Panics Linux Servers↗2019-06-21

▶

💬Community

Bugzilla

CVE-2019-11479 kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service [fedora-all]↗2019-06-17

▶

Bugzilla

CVE-2019-11479 kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service↗2019-06-11

▶

External resources

NVD MITRE

Affected products21

Canonical Ubuntu Linuxv14.04v16.04v18.04+2 more

F5 Big-ip Access Policy Manager≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Advanced Firewall Manager≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Analytics≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Application Acceleration Manager≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Application Security Manager≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Domain Name System≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Edge Gateway≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Fraud Protection Service≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

F5 Big-ip Global Traffic Manager≥ 11.5.2, < 11.6.5.1≥ 12.1.0, < 12.1.5.1≥ 13.1.0, < 13.1.3.2+3 more

Disclosure

PublishedJun 19, 2019

Latest updateMay 24, 2022