Follow @discotekdotca
CVE-2019-11479
Current Description
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.
Basic Data
| Published | June 19, 2019 |
|---|---|
| Last Modified | September 15, 2020 |
| Assigner | cve@mitre.org |
| Data Type | CVE |
| Data Format | MITRE |
| Data Version | 4.0 |
| Problem Type | CWE-400 |
| CVE Data Version | 4.0 |
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| CVSS 2 - Access Vector | NETWORK |
| CVSS 2 - Access Complexity | LOW |
| CVSS 2 - Authentication | NONE |
| CVSS 2 - Confidentiality Impact | NONE |
| CVSS 2 - Availability Impact | PARTIAL |
| CVSS 2 - Base Score | 5.0 |
| Severity | MEDIUM |
| Exploitability Score | 10.0 |
| Impact Score | 2.9 |
| Obtain All Privilege | false |
| Obtain User Privilege | false |
| Obtain Other Privilege | false |
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSS 3 - Attack Vector | NETWORK |
| CVSS 3 - Attack Complexity | LOW |
| CVSS 3 - Privileges Required | NONE |
| CVSS 3 - User Interaction | NONE |
| CVSS 3 - Scope | UNCHANGED |
| CVSS 3 - Confidentiality Impact | NONE |
| CVSS 3 - Integrity Impact | NONE |
| CVSS 3 - Availability Impact | HIGH |
| CVSS 3 - Base Score | 7.5 |
| CVSS 3 - Base Severity | HIGH |
| Exploitability Score | 3.9 |
| Base Severity | HIGH |
Configurations
-
OR - Configuration 1
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Linux Linux Kernel * * * * * * * * 4.20 5.1.11 2.3 OS Linux Linux Kernel * * * * * * * * 4.15 4.19.52 2.3 OS Linux Linux Kernel * * * * * * * * 4.10 4.14.127 2.3 OS Linux Linux Kernel * * * * * * * * 4.5 4.9.182 2.3 OS Linux Linux Kernel * * * * * * * * 4.4.182 -
OR - Configuration 2
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Advanced Firewall Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Advanced Firewall Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Advanced Firewall Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Advanced Firewall Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Advanced Firewall Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 3
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Access Policy Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Access Policy Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Access Policy Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Access Policy Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Access Policy Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 4
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Application Acceleration Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Application Acceleration Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Application Acceleration Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Application Acceleration Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Application Acceleration Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 5
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Link Controller 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Link Controller * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Link Controller * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Link Controller * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Link Controller * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 6
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Policy Enforcement Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Policy Enforcement Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Policy Enforcement Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Policy Enforcement Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Policy Enforcement Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 7
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Webaccelerator 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Webaccelerator * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Webaccelerator * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Webaccelerator * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Webaccelerator * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 8
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Application Security Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Application Security Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Application Security Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Application Security Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Application Security Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 9
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Local Traffic Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Local Traffic Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Local Traffic Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Local Traffic Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Local Traffic Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 10
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Fraud Protection Service 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Fraud Protection Service * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Fraud Protection Service * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Fraud Protection Service * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Fraud Protection Service * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 11
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Global Traffic Manager 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Global Traffic Manager * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Global Traffic Manager * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Global Traffic Manager * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Global Traffic Manager * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 12
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Analytics 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Analytics * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Analytics * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Analytics * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Analytics * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 13
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Edge Gateway 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Edge Gateway * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Edge Gateway * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Edge Gateway * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Edge Gateway * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 14
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application F5 Big-ip Domain Name System 15.0.0 * * * * * * * 2.3 Application F5 Big-ip Domain Name System * * * * * * * * 14.0.0 14.1.0 2.3 Application F5 Big-ip Domain Name System * * * * * * * * 13.1.0 13.1.1 2.3 Application F5 Big-ip Domain Name System * * * * * * * * 12.1.0 12.1.4 2.3 Application F5 Big-ip Domain Name System * * * * * * * * 11.5.2 11.6.4 -
OR - Configuration 15
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Canonical Ubuntu Linux 19.04 * * * * * * * 2.3 OS Canonical Ubuntu Linux 18.10 * * * * * * * 2.3 OS Canonical Ubuntu Linux 18.04 * * * lts * * * 2.3 OS Canonical Ubuntu Linux 16.04 * * * lts * * * 2.3 OS Canonical Ubuntu Linux 14.04 * * * esm * * * 2.3 OS Canonical Ubuntu Linux 12.04 * * * esm * * * -
OR - Configuration 16
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Redhat Virtualization 4.0 * * * * * * * 2.3 OS Redhat Enterprise Linux Eus 7.5 * * * * * * * 2.3 OS Redhat Enterprise Linux Eus 7.4 * * * * * * * 2.3 OS Redhat Enterprise Linux Aus 6.6 * * * * * * * 2.3 OS Redhat Enterprise Linux Aus 6.5 * * * * * * * 2.3 OS Redhat Enterprise Linux 8.0 * * * * * * * 2.3 OS Redhat Enterprise Linux 7.0 * * * * * * * 2.3 OS Redhat Enterprise Linux 6.0 * * * * * * * 2.3 OS Redhat Enterprise Linux 5.0 * * * * * * * 2.3 Application Redhat Enterprise Mrg 2.0 * * * * * * * 2.3 Application Redhat Enterprise Linux Atomic Host - * * * * * * * -
OR - Configuration 17
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application Pulsesecure Pulse Secure Virtual Application Delivery Controller - * * * * * * * 2.3 Application Pulsesecure Pulse Policy Secure - * * * * * * * 2.3 Application Pulsesecure Pulse Connect Secure - * * * * * * *
Vulnerable Software List
| Vendor | Product | Versions |
|---|---|---|
| Pulsesecure | Pulse Connect Secure | - |
| Pulsesecure | Pulse Secure Virtual Application Delivery Controller | - |
| Pulsesecure | Pulse Policy Secure | - |
| Redhat | Enterprise Linux Eus | 7.4, 7.5 |
| Redhat | Enterprise Linux Atomic Host | - |
| Redhat | Enterprise Linux | 5.0, 6.0, 7.0, 8.0 |
| Redhat | Enterprise Linux Aus | 6.5, 6.6 |
| Redhat | Enterprise Mrg | 2.0 |
| Redhat | Virtualization | 4.0 |
| Canonical | Ubuntu Linux | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 |
| Linux | Linux Kernel | * |
| F5 | Big-ip Application Security Manager | *, 15.0.0 |
| F5 | Big-ip Domain Name System | *, 15.0.0 |
| F5 | Big-ip Fraud Protection Service | *, 15.0.0 |
| F5 | Big-ip Access Policy Manager | *, 15.0.0 |
| F5 | Big-ip Analytics | *, 15.0.0 |
| F5 | Big-ip Edge Gateway | *, 15.0.0 |
| F5 | Big-ip Global Traffic Manager | *, 15.0.0 |
| F5 | Big-ip Link Controller | *, 15.0.0 |
| F5 | Big-ip Advanced Firewall Manager | *, 15.0.0 |
| F5 | Big-ip Local Traffic Manager | *, 15.0.0 |
| F5 | Big-ip Application Acceleration Manager | *, 15.0.0 |
| F5 | Big-ip Policy Enforcement Manager | *, 15.0.0 |
| F5 | Big-ip Webaccelerator | *, 15.0.0 |
References
| Name | Source | URL | Tags |
|---|---|---|---|
| USN-4041-2 | UBUNTU | https://usn.ubuntu.com/4041-2/ | Mitigation Third Party Advisory Third Party Advisory Patch Mailing List Mailing List Third Party Advisory Third Party Advisory |
| USN-4041-1 | UBUNTU | https://usn.ubuntu.com/4041-1/ | Third Party Advisory Third Party Advisory Patch Patch VDB Entry |
| https://support.f5.com/csp/article/K35421172?utm_source=f5support&utm_medium=RSS | CONFIRM | https://support.f5.com/csp/article/K35421172?utm_source=f5support&utm_medium=RSS | Vendor Advisory Vendor Advisory |
| https://support.f5.com/csp/article/K35421172 | CONFIRM | https://support.f5.com/csp/article/K35421172 | |
| https://security.netapp.com/advisory/ntap-20190625-0001/ | CONFIRM | https://security.netapp.com/advisory/ntap-20190625-0001/ | |
| https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0008 | CONFIRM | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0008 | |
| https://kc.mcafee.com/corporate/index?page=content&id=SB10287 | CONFIRM | https://kc.mcafee.com/corporate/index?page=content&id=SB10287 | |
| https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193 | CONFIRM | https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193 | |
| https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | MISC | https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md | |
| https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6 | MISC | https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6 | |
| https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363 | MISC | https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363 | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf | CONFIRM | https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf | |
| https://access.redhat.com/security/vulnerabilities/tcpsack | MISC | https://access.redhat.com/security/vulnerabilities/tcpsack | |
| RHSA-2019:1602 | REDHAT | https://access.redhat.com/errata/RHSA-2019:1602 | |
| RHSA-2019:1699 | REDHAT | https://access.redhat.com/errata/RHSA-2019:1699 | |
| RHSA-2019:1594 | REDHAT | https://access.redhat.com/errata/RHSA-2019:1594 | |
| 108818 | BID | http://www.securityfocus.com/bid/108818 | |
| [oss-security] 20190706 Re: linux-distros membership application - Microsoft | MLIST | http://www.openwall.com/lists/oss-security/2019/07/06/4 | |
| [oss-security] 20190706 Re: linux-distros membership application - Microsoft | MLIST | http://www.openwall.com/lists/oss-security/2019/07/06/3 | |
| [oss-security] 20190628 Re: linux-distros membership application - Microsoft | MLIST | http://www.openwall.com/lists/oss-security/2019/06/28/2 | |
| http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt | CONFIRM | http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt | |
| https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic | MISC | https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic | |
| VU#905115 | CERT-VN | https://www.kb.cert.org/vuls/id/905115 | |
| https://www.oracle.com/security-alerts/cpujan2020.html | MISC | https://www.oracle.com/security-alerts/cpujan2020.html | |
| https://www.synology.com/security/advisory/Synology_SA_19_28 | CONFIRM | https://www.synology.com/security/advisory/Synology_SA_19_28 | |
| https://www.us-cert.gov/ics/advisories/icsa-19-253-03 | MISC | https://www.us-cert.gov/ics/advisories/icsa-19-253-03 | |
| https://www.us-cert.gov/ics/advisories/icsma-20-170-06 | MISC | https://www.us-cert.gov/ics/advisories/icsma-20-170-06 |