Recently there was a report about Linux’s SACK implementation where a packet could cause a kernel panic.
This is fixed in 4.9.182 and above. AR750S’s 3.025 firmware is using 4.9.120. Could we please get an updated kernel? Thanks.
1 Like
OpenWRT has backported fixes in the 18.06 branch…
commit 9de2f4d4ce9de57fd3b17a1ced46f3287c893d8a
Author: Koen Vandeputte <koen.vandeputte@ncentric.com>
Date: Tue Jun 18 11:59:13 2019 +0200
kernel: bump 4.9 to 4.9.182
Refreshed all patches.
Fixes:
- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477
Compile-tested on: ar71xx
Runtime-tested on: ar71xx
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Bump.
I just checked the recently released 025 and it appears not to have the fixed kernel. Please update the kernel accordingly. Thanks.
The vulnerabilities is related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK), so a temporary workarounds:
- Disable SACK processing by executing "
sysctl -w net.ipv4.tcp_sack=0". And to make it permanent across reboots, "echo "net.ipv4.tcp_sack=0" > /etc/sysctl.d/90-SACK_Panic.conf". - Block low-MSS packets on the firewall with "
echo "iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP" >> /etc/firewall.user".
Disabling SACK isn’t necessarily a good long term solution.
Given that OpenWRT has it fixed upstream, is it a lot of work for you to rebase on that newer OpenWRT release?
OpenWRT will release 19.07 this month hopefully, so there is no point in making a release based on 18.06.4.
Kyson gave you a temporary solution in the meantime.
1 Like