WDC Tracking Number: WDC-19010
Published: July 15, 2019
Last Updated: July 15, 2019
Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size. The extent of impact at this time is understood to be limited to resource exhaustion and, in the case of CVE-2019-11477, system availability. No potential for privilege escalation or information leak is currently suspected.
While mitigations shown in this article are available, they might affect system performance as well as traffic from legitimate sources. Please evaluate the mitigation that is appropriate for the system’s environment before applying.
All ActiveScale OS (AOS) versions up to and including 5.5.0 and Active Archive EasiScale (ES) operating system versions up to and including version 4.3.0 are affected by these vulnerabilities. Tables AOS-SACK Vulnerability Matrix and ES-SACK Vulnerability Matrix indicate details and recommended actions.
ActiveScale AOS-SACK Vulnerability Matrix
Active Archive ES-SACK Vulnerability Matrix
Western Digital is releasing a software patch release for ActiveScale Systems to address the vulnerabilities and recommends upgrading all deployed systems.
The most severe of the three vulnerabilities known as SACK Panic CVE-2019-11477 could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability. CVE-2019-11478 and CVE-2019-11479, while less severe could still lead to a potential resource exhaustion on affected systems.
These issues are corrected either through applying mitigations or Linux kernel patches. Patches are released for CVE-2019-11477 and CVE-2019-11478. The vulnerability described in CVE-2019-1149 is primarily due to the TCP specifications not defining a minimum value for the Minimum Segment Size (MSS).
The option to set the Minimum Segment Size has been added to Linux upstream and is distributed downstream available in most recent versions. Note that limitations to MSS cannot be applied automatically and must be made on a case-by-case basis because it may break valid TCP connections.
Western Digital incorporated these kernel patches and the ability to set the MSS in software patches.
For mitigations, contact Western Digital support by calling or submitting a support ticket request.