Follow

🚨 ⚠️ ⚠️ ⚠️
Urgent Linux advisory
⚠️ ⚠️ ⚠️ 🚨

openwall.com/lists/oss-securit

Urgently run the following:

echo 0 | sudo tee /proc/sys/net/ipv4/tcp_sack

On all Linux hosts to work around the issue and then start patching your kernels

@sir aren't 5.x kernels fine ?

or do I need to update tomorrow

@ivesen I have no reason to believe 5.x is safe, and you should update now

@ivesen update: 5.1.11 is safe, any earlier and it's not

@sir how do I do this on my smart tv and android devices?

@irl it's not an urgent problem for those devices. This affects Linux servers

@sir my smart tv is a Linux server. It has two web servers listening, one I haven’t figured out what it does yet.


This was more just an observation that when stuff like this happens there’s nothing that can be done on whole classes of device.

@sir just as not to run what I don't entirely understand: what will this change on my system/will it break my production?

@ignaloidas this will disable TCP SACK, an optional feature without which lossy connections may suffer reduced throughput

Without disabling this, your server can be remotely kernel paniced

@sir i just updated to 5.1.11, should i still do this?

@sir

I went the sysctl way to make it permanent.

edit /etc/sysctl.conf
add:
net.ipv4.tcp_sack = 0
reload it:
sysctl -p

@gemlog imo turn it off in the booted kernel and then patch it, the next reboot should boot into a patched kernel instead of setting yourself up to forget a sysctl change

@sir
Putting it in the conf file means it will automagically be applied on a reboot (should that ever happen!).
Besides, I'm moving out of this box soon into a new one.

@gemlog I know how sysctl works :P I still disagree with your mitigation approach

@sir sir, thank you much! Here is the line for a a .conf in /etc/tmpfiles.d with systemd systems: termbin.com/0hdd

@sir
Just making sure:
With ubuntu on kernel version 4.15.0-52-generic im safe, right?

Or do I still need to disable tcp_sack?

@bn4t Ubuntu is patched, if you're up-to-date you're good.

tfw one of your production servers has a kernel too old to be affected
Sign in to participate in the conversation
Mastodon

cmpwn.com is a private Mastodon instance for friends of SirCmpwn.