CVE-2019-11479

Current Description

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Basic Data

PublishedJune 19, 2019
Last ModifiedSeptember 15, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-400
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score7.5
CVSS 3 - Base SeverityHIGH
Exploitability Score3.9
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSLinuxLinux Kernel********4.205.1.11
    2.3OSLinuxLinux Kernel********4.154.19.52
    2.3OSLinuxLinux Kernel********4.104.14.127
    2.3OSLinuxLinux Kernel********4.54.9.182
    2.3OSLinuxLinux Kernel********4.4.182
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Advanced Firewall Manager15.0.0*******
    2.3ApplicationF5Big-ip Advanced Firewall Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Advanced Firewall Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Advanced Firewall Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Advanced Firewall Manager********11.5.211.6.4
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Access Policy Manager15.0.0*******
    2.3ApplicationF5Big-ip Access Policy Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Access Policy Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Access Policy Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Access Policy Manager********11.5.211.6.4
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Application Acceleration Manager15.0.0*******
    2.3ApplicationF5Big-ip Application Acceleration Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Application Acceleration Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Application Acceleration Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Application Acceleration Manager********11.5.211.6.4
  • OR - Configuration 5
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Link Controller15.0.0*******
    2.3ApplicationF5Big-ip Link Controller********14.0.014.1.0
    2.3ApplicationF5Big-ip Link Controller********13.1.013.1.1
    2.3ApplicationF5Big-ip Link Controller********12.1.012.1.4
    2.3ApplicationF5Big-ip Link Controller********11.5.211.6.4
  • OR - Configuration 6
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Policy Enforcement Manager15.0.0*******
    2.3ApplicationF5Big-ip Policy Enforcement Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Policy Enforcement Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Policy Enforcement Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Policy Enforcement Manager********11.5.211.6.4
  • OR - Configuration 7
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Webaccelerator15.0.0*******
    2.3ApplicationF5Big-ip Webaccelerator********14.0.014.1.0
    2.3ApplicationF5Big-ip Webaccelerator********13.1.013.1.1
    2.3ApplicationF5Big-ip Webaccelerator********12.1.012.1.4
    2.3ApplicationF5Big-ip Webaccelerator********11.5.211.6.4
  • OR - Configuration 8
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Application Security Manager15.0.0*******
    2.3ApplicationF5Big-ip Application Security Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Application Security Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Application Security Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Application Security Manager********11.5.211.6.4
  • OR - Configuration 9
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Local Traffic Manager15.0.0*******
    2.3ApplicationF5Big-ip Local Traffic Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Local Traffic Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Local Traffic Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Local Traffic Manager********11.5.211.6.4
  • OR - Configuration 10
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Fraud Protection Service15.0.0*******
    2.3ApplicationF5Big-ip Fraud Protection Service********14.0.014.1.0
    2.3ApplicationF5Big-ip Fraud Protection Service********13.1.013.1.1
    2.3ApplicationF5Big-ip Fraud Protection Service********12.1.012.1.4
    2.3ApplicationF5Big-ip Fraud Protection Service********11.5.211.6.4
  • OR - Configuration 11
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Global Traffic Manager15.0.0*******
    2.3ApplicationF5Big-ip Global Traffic Manager********14.0.014.1.0
    2.3ApplicationF5Big-ip Global Traffic Manager********13.1.013.1.1
    2.3ApplicationF5Big-ip Global Traffic Manager********12.1.012.1.4
    2.3ApplicationF5Big-ip Global Traffic Manager********11.5.211.6.4
  • OR - Configuration 12
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Analytics15.0.0*******
    2.3ApplicationF5Big-ip Analytics********14.0.014.1.0
    2.3ApplicationF5Big-ip Analytics********13.1.013.1.1
    2.3ApplicationF5Big-ip Analytics********12.1.012.1.4
    2.3ApplicationF5Big-ip Analytics********11.5.211.6.4
  • OR - Configuration 13
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Edge Gateway15.0.0*******
    2.3ApplicationF5Big-ip Edge Gateway********14.0.014.1.0
    2.3ApplicationF5Big-ip Edge Gateway********13.1.013.1.1
    2.3ApplicationF5Big-ip Edge Gateway********12.1.012.1.4
    2.3ApplicationF5Big-ip Edge Gateway********11.5.211.6.4
  • OR - Configuration 14
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationF5Big-ip Domain Name System15.0.0*******
    2.3ApplicationF5Big-ip Domain Name System********14.0.014.1.0
    2.3ApplicationF5Big-ip Domain Name System********13.1.013.1.1
    2.3ApplicationF5Big-ip Domain Name System********12.1.012.1.4
    2.3ApplicationF5Big-ip Domain Name System********11.5.211.6.4
  • OR - Configuration 15
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux19.04*******
    2.3OSCanonicalUbuntu Linux18.10*******
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux14.04***esm***
    2.3OSCanonicalUbuntu Linux12.04***esm***
  • OR - Configuration 16
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatVirtualization4.0*******
    2.3OSRedhatEnterprise Linux Eus7.5*******
    2.3OSRedhatEnterprise Linux Eus7.4*******
    2.3OSRedhatEnterprise Linux Aus6.6*******
    2.3OSRedhatEnterprise Linux Aus6.5*******
    2.3OSRedhatEnterprise Linux8.0*******
    2.3OSRedhatEnterprise Linux7.0*******
    2.3OSRedhatEnterprise Linux6.0*******
    2.3OSRedhatEnterprise Linux5.0*******
    2.3ApplicationRedhatEnterprise Mrg2.0*******
    2.3ApplicationRedhatEnterprise Linux Atomic Host-*******
  • OR - Configuration 17
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationPulsesecurePulse Secure Virtual Application Delivery Controller-*******
    2.3ApplicationPulsesecurePulse Policy Secure-*******
    2.3ApplicationPulsesecurePulse Connect Secure-*******

Vulnerable Software List

VendorProductVersions
Pulsesecure Pulse Connect Secure -
Pulsesecure Pulse Secure Virtual Application Delivery Controller -
Pulsesecure Pulse Policy Secure -
Redhat Enterprise Linux Eus 7.4, 7.5
Redhat Enterprise Linux Atomic Host -
Redhat Enterprise Linux 5.0, 6.0, 7.0, 8.0
Redhat Enterprise Linux Aus 6.5, 6.6
Redhat Enterprise Mrg 2.0
Redhat Virtualization 4.0
Canonical Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 18.10, 19.04
Linux Linux Kernel *
F5 Big-ip Application Security Manager *, 15.0.0
F5 Big-ip Domain Name System *, 15.0.0
F5 Big-ip Fraud Protection Service *, 15.0.0
F5 Big-ip Access Policy Manager *, 15.0.0
F5 Big-ip Analytics *, 15.0.0
F5 Big-ip Edge Gateway *, 15.0.0
F5 Big-ip Global Traffic Manager *, 15.0.0
F5 Big-ip Link Controller *, 15.0.0
F5 Big-ip Advanced Firewall Manager *, 15.0.0
F5 Big-ip Local Traffic Manager *, 15.0.0
F5 Big-ip Application Acceleration Manager *, 15.0.0
F5 Big-ip Policy Enforcement Manager *, 15.0.0
F5 Big-ip Webaccelerator *, 15.0.0

References

NameSourceURLTags
USN-4041-2UBUNTUhttps://usn.ubuntu.com/4041-2/Mitigation Third Party Advisory Third Party Advisory Patch Mailing List Mailing List Third Party Advisory Third Party Advisory
USN-4041-1UBUNTUhttps://usn.ubuntu.com/4041-1/Third Party Advisory Third Party Advisory Patch Patch VDB Entry
https://support.f5.com/csp/article/K35421172?utm_source=f5support&utm_medium=RSSCONFIRMhttps://support.f5.com/csp/article/K35421172?utm_source=f5support&utm_medium=RSSVendor Advisory Vendor Advisory
https://support.f5.com/csp/article/K35421172CONFIRMhttps://support.f5.com/csp/article/K35421172
https://security.netapp.com/advisory/ntap-20190625-0001/CONFIRMhttps://security.netapp.com/advisory/ntap-20190625-0001/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0008CONFIRMhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0008
https://kc.mcafee.com/corporate/index?page=content&id=SB10287CONFIRMhttps://kc.mcafee.com/corporate/index?page=content&id=SB10287
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193CONFIRMhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.mdMISChttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6MISChttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363MISChttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdfCONFIRMhttps://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf
https://access.redhat.com/security/vulnerabilities/tcpsackMISChttps://access.redhat.com/security/vulnerabilities/tcpsack
RHSA-2019:1602REDHAThttps://access.redhat.com/errata/RHSA-2019:1602
RHSA-2019:1699REDHAThttps://access.redhat.com/errata/RHSA-2019:1699
RHSA-2019:1594REDHAThttps://access.redhat.com/errata/RHSA-2019:1594
108818BIDhttp://www.securityfocus.com/bid/108818
[oss-security] 20190706 Re: linux-distros membership application - MicrosoftMLISThttp://www.openwall.com/lists/oss-security/2019/07/06/4
[oss-security] 20190706 Re: linux-distros membership application - MicrosoftMLISThttp://www.openwall.com/lists/oss-security/2019/07/06/3
[oss-security] 20190628 Re: linux-distros membership application - MicrosoftMLISThttp://www.openwall.com/lists/oss-security/2019/06/28/2
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txtCONFIRMhttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanicMISChttps://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
VU#905115CERT-VNhttps://www.kb.cert.org/vuls/id/905115
https://www.oracle.com/security-alerts/cpujan2020.htmlMISChttps://www.oracle.com/security-alerts/cpujan2020.html
https://www.synology.com/security/advisory/Synology_SA_19_28CONFIRMhttps://www.synology.com/security/advisory/Synology_SA_19_28
https://www.us-cert.gov/ics/advisories/icsa-19-253-03MISChttps://www.us-cert.gov/ics/advisories/icsa-19-253-03
https://www.us-cert.gov/ics/advisories/icsma-20-170-06MISChttps://www.us-cert.gov/ics/advisories/icsma-20-170-06