Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!

neti

Is where a way to protect Systems behind the pfsense?
With synproxy?! and pf scrubbing?

neti

Howto do something like this on the pfsense?
iptables -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

KOM

Block all ICMP traffic to your NATs would be a quick temporary fix.

neti

@KOM ping ... oh nothing here ...?
I ask for a filter.
I dont want hide Servers....

KOM

iptables -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

No, you can't do that

I dont want hide Servers....

Blocking ICMP would only block ping so unless your users only ping your servers all day long, the servers would still be available

Rico

AFAIK SACK has nothing to do with ICMP PING.
If you have let's say a Webserver running on Port 80/443 it can be attacked via CVE-2019-11477 on those ports.

-Rico

neti

@neti said in Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!:

With synproxy?! and pf scrubbing?

My Question is how can i protect Servers behind the pfsense?
Can i use synproxy to protect the Servers?
Can i use pf scrubbing?

I cannot find any filter option for min or max mss.

KOM

Sorry, I'm being dumb here. I got hung up on the moniker Ping of Death and thought it was a malformed ICMP packet issue. The CVEs aren't filled yet so there isn't a lot of detail there.

Snort or Suricata may come out with an update to detect it. Otherwise, keep close watch on your distro's security announcements for the patch and apply it ASAP. It may already be available as I type this.

neti

short overview: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
more detail: https://access.redhat.com/security/vulnerabilities/tcpsack

dalybrian

Just sharing more details … not sure if or how this affects pfSense.

https://nakedsecurity.sophos.com/2019/06/19/netflix-researcher-spots-tcp-sack-flaws-in-linux-and-freebsd/

https://kb.cert.org/vuls/id/905115/

KOM

@dalybrian It's been said here, on twitter and on reddit. pfSense 2.4.4 is not affected by any of these at all.

Rico

https://forum.netgate.com/topic/144257/new-ping-based-attack/3

-Rico

KOM

@Rico Thank you. I was trying to find that post but couldn't remember where it was.

jimp

@neti said in Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!:

My Question is how can i protect Servers behind the pfsense?
Can i use synproxy to protect the Servers?
Can i use pf scrubbing?

I cannot find any filter option for min or max mss.

pf doesn't have an option to check the MSS explicitly. There is a scrub option to enforce a maximum MSS, but that's it. The scrub function doesn't check for a minimum MSS as far as I can see.

I'm not sure if synproxy would help you, it may introduce some other problems as well. Worth a try if you have an exploit test you can run against a vulnerable system.