1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SACKPanic Linux Kernel Vuneralbility

Discussion in 'Asuswrt-Merlin' started by JDB, Jun 19, 2019.

  1. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    791
    bobpow likes this.
  2. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,296
    Should be easily fixable now with
    Code:
    echo 0 > /proc/sys/net/ipv4/tcp_sack
    assuming the firmware is vulnerable

    (edit: it's set to 1 on my 86u, so ive added the code above to init-start so i dont forget to re-apply after a reboot)
     
    Vexira, L&LD and JDB like this.
  3. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    791
    Thanks - yea I've done that on some of my other servers which I can't upgrade the kernel on in short order. Should probably do it on my router as well!
     
    Jack Yaz likes this.
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    There's already a thread about this here.

    I can't say I'm going to lose any sleep over this. But then I'm not running any public facing web services, let alone any "high profile" enough to be of interest to anybody.
     
    L&LD and JDB like this.
  5. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    791
    Ah, I searched for SACKPanic but it didn’t bring that thread up.
    Yea it’s a fringe case for a home user, but there’ll be a load of people attempting it at all sorts of IP’s now it’s known! I don’t expose any TCP ports publicly on the router anyway I don’t think so even more unlikely to be attacked.


    Sent from my iPhone using Tapatalk
     
    CriticJay likes this.
  6. underdose

    underdose Regular Contributor

    Joined:
    Dec 13, 2017
    Messages:
    58
    Location:
    Istanbul
    I've read that the iptables command below is a better solution.

    Code:
    iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
    See the discussion here:
    https://news.ycombinator.com/item?id=20205566
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,611
    Location:
    Canada
    Sure, you got kernel patches for kernels 2.6.36, 4.1.27 and 4.1.51?
     
    Vexira and Starrbuck like this.
  8. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    791
    It appears patches for 2 of the 3 related CVE’s already exist and one for the 3rd is en route very shortly.

    I wasn’t suggesting you were to fix the kernel yourself, simply integrate the fix once it is available (likely quicker that Asus will).

    Not sure what the wise crack remark was for?


    Sent from my iPhone using Tapatalk
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,611
    Location:
    Canada
    Those patches do not work on older kernels, hence my reply.

    I'm sorry, it just gets frustrating when that very same question gets asked every single time a new security issue appears, as if suddenly it was a matter of national emergency, and that I never patched any security issues.

    I will have to answer that same question probably 2-4 times on the forums (because people don't read existing posts before asking questions), 2-3 times on Twitter, and 2-3 times in emails.

    If you check only today's posts, you will see that, yet again, someone asked if I had patched the security issues included in Asus's 45717 release. On these forums alone that must be the fourth time that question got asked.

    Yes, as you can image, it gets annoying after the 10th time.
     
    gpb500, QuikSilver, Vexira and 9 others like this.
  10. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    People are people. ;)
     
    QuikSilver, martinr and JDB like this.
  11. gattaca

    gattaca Regular Contributor

    Joined:
    Feb 18, 2012
    Messages:
    111
    ^^^^ RMerlin, I imagine you have the makings of a good instructor / teacher! ;)
     
  12. joe scian

    joe scian Senior Member

    Joined:
    Apr 22, 2018
    Messages:
    285
    people are dumb too and stupid - they are all catered for on this forum ! Mostly with humble aplomb.