ISN 2019-06: IGEL OS Kernel Vulnerability

Announced 5 July 2019

Score: High

A security issue affects IGEL Linux-based operating systems in the following versions:

  • IGEL OS 11
  • IGEL OS 10
  • IGEL Linux 5

Details

It has been discovered that the Linux Kernel can be crashed by sending specially crafted network packets to a Linux host (CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479). Issues in minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities can cause a kernel panic.

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.01.120
  • IGEL OS 10: Update to IGEL OS 10.05.830

Mitigation

  • IGEL Linux 5: Add the following command to System > Firmware Customization > Custom Commands > Base > Initialization: echo 0 > /proc/sys/net/ipv4/tcp_mtu_probing ; iptables -I INPUT -p tcp -m tcpmss --mss 1:1000 -j DROP

References

Advisory from Netflix with further suggestions for workarounds:

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Last update: July 5, 2019