Palo Alto Networks Security Advisories / PAN-SA-2019-0013

PAN-SA-2019-0013 Information about TCP SACK Panic Findings in PAN-OS

047910
Severity 7.5 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH

Description

Palo Alto Networks is aware of recent vulnerability disclosures known as TCP SACK Panic vulnerabilities. (Ref: PAN-119745/ CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Successful exploitation of these issues could allow an unprivileged remote user to trigger a kernel panic in systems running the affected software, resulting in a denial of service.

While these issues primary affect the PAN-OS Management Plane (MP), it is possible for MP services to be exposed via Data Plane (DP) interfaces as a result of Service Route or and Interface Management Profile configurations. Examples include Management Profiles permitting HTTP/HTTPS access to the WebGUI, SSH, or response pages. In these cases, it is possible that malicious traffic could arrive at the MP kernel through the DP interface. Devices with unrestricted connectivity to the MP, such as internal hosts, may be able to leverage this issue to impact device performance.

Palo Alto Networks is not affected by CVE-2019-5599.

This issue affects PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2-h3 and earlier.

GlobalProtect Gateway and GlobalProtect portal are NOT affected by these issues.

CVECVSSSummary
CVE-2019-114777.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
CVE-2019-114787.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.
CVE-2019-114797.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0<= 9.0.2-h3>= 9.0.2-h4
PAN-OS 8.1<= 8.1.8-h4>= 8.1.8-h5
PAN-OS 8.0<= 8.0.18>= 8.0.19
PAN-OS 7.1<= 7.1.23>= 7.1.24

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness Type

CWE-190 Integer Overflow or Wraparound

Solution

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later

Workarounds and Mitigations

These issues affect the management interface of PAN-OS and are strongly mitigated by following best practices for securing the PAN-OS management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 9.0 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html.

© 2020 Palo Alto Networks, Inc. All rights reserved.