SRX

Expand all | Collapse all

Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

Jump to Best Answer
  • 1.  Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

    Posted 08-09-2019 06:00

    I have a Linux Servers network that sits beihnd a SRX device.

    Some of them cannot be upgraded and are vulnerable to TCP Sack Panic CVE.
    I cannot upgrade these Servers at the time and on more then one node there is no iptables compiled in the kernel.

    The Ubuntu, RedHat and others give couple recommendations.(https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic)

    The most sano of them for my systems is the one which ipables drops every packet with mss between 0 to 500.

    iptables -I FORWARD 1 -p tcp -m tcpmss --mss 1:500 -j DROP

    I was wondering if is there any possible way to do the same on SRX to proctect my vulnurable hosts?

     

    Thanks,

    Eliezer


    #TCPSack


  • 2.  RE: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

    Posted 08-11-2019 11:03

    Hi Elicro,

     

    It is not possible to block the packet based on the MSS filter. Also, I checked for Screens/IDP signatures as well and there isn't any. 

    I would suggest you contact JTAC as they might provide you with more information.



  • 3.  RE: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?
    Best Answer

    Posted 08-12-2019 11:07

    Hello Elicro,

     

    As already pointed out, currently there does NOT appear to have any pre-defined screen/IDP signature for it.

    I think you can create customized signature definition like the following and use it in IDP to protect your legacy servers.

     

     

    custom-attack SACK {
        severity critical;
        attack-type {
            signature {
                context packet;
                direction client-to-server;
                protocol {
                    tcp {
                        mss {
                            match less-than;
                            value 500;
                        }
                    }
                }
            }
        }
    }

     

    If this does not work, opening a JTAC case will be your next step though.

     

    Thanks!



  • 4.  RE: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

    Posted 08-12-2019 12:21

     

    Seems like good enough for me and many others 🙂

    (it's an iptables compatible one)


    Just to note that most Linux hosts shouldn't really accept a SACK packet with MSS lower then 5xx(56x?, don't remember).
    I have tested couple pieces of code with scapy and it's not simple to kill a host just out of the blue.

    There might be a legit connection that will state a < 500 MSS.

    Technically a better solution might be to remove the MSS part from the packet or upper it into 600.

    But it's better safe then sorry.

     

    The acutall implementation is a part of a negotation and the ACK can contain a disagreement on the MSS section.

     

    Thanks!



  • 5.  RE: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

    Posted 08-12-2019 13:10

     

    This what seems to be applied on my SRX

     

    custom-attack SACK {
        severity critical;
        attack-type {
            signature {
                protocol-binding {
                    tcp;
                }
                context packet;
                direction client-to-server;
                protocol {
                    tcp {
                        tcp-flags syn;
                        mss {
                            match less-than;
                            value 500;
                        }
                    }
                }
            }
        }
    }
    

     

    I have yet to manage apply to to the zone but at-least it's something.

    I do not have a `context tcp`  and it should be under `context packet`



  • 6.  RE: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

    Posted 08-12-2019 14:49

    Hello Elicro,

     

    Thanks for pointing that out.

     

    You are right. Context "packet" should cover it.

     

    I have corrected my reply now.

     

    Thanks!