Recently there was a report about Linux’s SACK implementation where a packet could cause a kernel panic.
This is fixed in 4.9.182 and above. AR750S’s 3.025 firmware is using 4.9.120. Could we please get an updated kernel? Thanks.
Recently there was a report about Linux’s SACK implementation where a packet could cause a kernel panic.
This is fixed in 4.9.182 and above. AR750S’s 3.025 firmware is using 4.9.120. Could we please get an updated kernel? Thanks.
OpenWRT has backported fixes in the 18.06 branch…
commit 9de2f4d4ce9de57fd3b17a1ced46f3287c893d8a
Author: Koen Vandeputte <koen.vandeputte@ncentric.com>
Date: Tue Jun 18 11:59:13 2019 +0200
kernel: bump 4.9 to 4.9.182
Refreshed all patches.
Fixes:
- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477
Compile-tested on: ar71xx
Runtime-tested on: ar71xx
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Bump.
I just checked the recently released 025 and it appears not to have the fixed kernel. Please update the kernel accordingly. Thanks.
The vulnerabilities is related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK), so a temporary workarounds:
sysctl -w net.ipv4.tcp_sack=0
". And to make it permanent across reboots, " echo "net.ipv4.tcp_sack=0" > /etc/sysctl.d/90-SACK_Panic.conf
".echo "iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP" >> /etc/firewall.user
".Disabling SACK isn’t necessarily a good long term solution.
Given that OpenWRT has it fixed upstream, is it a lot of work for you to rebase on that newer OpenWRT release?
OpenWRT will release 19.07 this month hopefully, so there is no point in making a release based on 18.06.4.
Kyson gave you a temporary solution in the meantime.