Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!
-
iptables -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
No, you can't do that
I dont want hide Servers....
Blocking ICMP would only block ping so unless your users only ping your servers all day long, the servers would still be available
-
AFAIK SACK has nothing to do with ICMP PING.
If you have let's say a Webserver running on Port 80/443 it can be attacked via CVE-2019-11477 on those ports.-Rico
-
@neti said in Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!:
With synproxy?! and pf scrubbing?
My Question is how can i protect Servers behind the pfsense?
Can i use synproxy to protect the Servers?
Can i use pf scrubbing?I cannot find any filter option for min or max mss.
-
Sorry, I'm being dumb here. I got hung up on the moniker Ping of Death and thought it was a malformed ICMP packet issue. The CVEs aren't filled yet so there isn't a lot of detail there.
Snort or Suricata may come out with an update to detect it. Otherwise, keep close watch on your distro's security announcements for the patch and apply it ASAP. It may already be available as I type this.
-
short overview: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
more detail: https://access.redhat.com/security/vulnerabilities/tcpsack -
Just sharing more details … not sure if or how this affects pfSense.
https://nakedsecurity.sophos.com/2019/06/19/netflix-researcher-spots-tcp-sack-flaws-in-linux-and-freebsd/
https://kb.cert.org/vuls/id/905115/
-
@dalybrian It's been said here, on twitter and on reddit. pfSense 2.4.4 is not affected by any of these at all.
-
https://forum.netgate.com/topic/144257/new-ping-based-attack/3
-Rico
-
@Rico Thank you. I was trying to find that post but couldn't remember where it was.
-
@neti said in Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!:
My Question is how can i protect Servers behind the pfsense?
Can i use synproxy to protect the Servers?
Can i use pf scrubbing?I cannot find any filter option for min or max mss.
pf doesn't have an option to check the MSS explicitly. There is a scrub option to enforce a maximum MSS, but that's it. The scrub function doesn't check for a minimum MSS as far as I can see.
I'm not sure if synproxy would help you, it may introduce some other problems as well. Worth a try if you have an exploit test you can run against a vulnerable system.
