SRX Services Gateway
SRX Services Gateway

Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

‎08-09-2019 06:00 AM

I have a Linux Servers network that sits beihnd a SRX device.

Some of them cannot be upgraded and are vulnerable to TCP Sack Panic CVE.
I cannot upgrade these Servers at the time and on more then one node there is no iptables compiled in the kernel.

The Ubuntu, RedHat and others give couple recommendations.(https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic)

The most sano of them for my systems is the one which ipables drops every packet with mss between 0 to 500.

iptables -I FORWARD 1 -p tcp -m tcpmss --mss 1:500 -j DROP

I was wondering if is there any possible way to do the same on SRX to proctect my vulnurable hosts?

 

Thanks,

Eliezer

5 REPLIES 5
SRX Services Gateway

Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

‎08-11-2019 11:03 AM

Hi Elicro,

 

It is not possible to block the packet based on the MSS filter. Also, I checked for Screens/IDP signatures as well and there isn't any. 

I would suggest you contact JTAC as they might provide you with more information.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway
Solution
Accepted by topic author elicro
‎08-12-2019 12:21 PM

Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

[ Edited ]
‎08-12-2019 11:07 AM

Hello Elicro,

 

As already pointed out, currently there does NOT appear to have any pre-defined screen/IDP signature for it.

I think you can create customized signature definition like the following and use it in IDP to protect your legacy servers.

 

 

custom-attack SACK {
    severity critical;
    attack-type {
        signature {
            context packet;
            direction client-to-server;
            protocol {
                tcp {
                    mss {
                        match less-than;
                        value 500;
                    }
                }
            }
        }
    }
}

 

If this does not work, opening a JTAC case will be your next step though.

 

Thanks!

SRX Services Gateway

Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

‎08-12-2019 12:20 PM

 

Seems like good enough for me and many others Smiley Happy

(it's an iptables compatible one)


Just to note that most Linux hosts shouldn't really accept a SACK packet with MSS lower then 5xx(56x?, don't remember).
I have tested couple pieces of code with scapy and it's not simple to kill a host just out of the blue.

There might be a legit connection that will state a < 500 MSS.

Technically a better solution might be to remove the MSS part from the packet or upper it into 600.

But it's better safe then sorry.

 

The acutall implementation is a part of a negotation and the ACK can contain a disagreement on the MSS section.

 

Thanks!

SRX Services Gateway

Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

‎08-12-2019 01:09 PM

 

This what seems to be applied on my SRX

 

custom-attack SACK {
    severity critical;
    attack-type {
        signature {
            protocol-binding {
                tcp;
            }
            context packet;
            direction client-to-server;
            protocol {
                tcp {
                    tcp-flags syn;
                    mss {
                        match less-than;
                        value 500;
                    }
                }
            }
        }
    }
}

 

I have yet to manage apply to to the zone but at-least it's something.

I do not have a `context tcp`  and it should be under `context packet`

Highlighted
SRX Services Gateway

Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?

[ Edited ]
‎08-12-2019 02:49 PM

Hello Elicro,

 

Thanks for pointing that out.

 

You are right. Context "packet" should cover it.

 

I have corrected my reply now.

 

Thanks!