VMware cleared several vulnerabilities in the Linux kernel implementation of TCP Selective Acknowledgement (SACK) which may allow a malicious entity to execute a Denial of Service attack.
There are two identifiable vulnerabilities associated with the Linux kernel implementation of SACK.
One is CVE-2019-11477 – SACK Panic – A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
The other is CVE-2019-11478 – SACK Excess Resource Usage – a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Products affected by the issues include:
• Container Service Extension
• Enterprise PKS
• Horizon DaaS
• Hybrid Cloud Extension
• Identity Manager
• Integrated OpenStack
• NSX for vSphere
• NSX-T Data Center
• Pulse Console
• SD-WAN Edge by VeloCloud
• SD-WAN Gateway by VeloCloud
• SD-WAN Orchestrator by VeloCloud
• Skyline Collector
• Unified Access Gateway
• vCenter Server Appliance
• vCloud Availability Appliance
• vCloud Director For Service Providers
• vCloud Usage Meter
• vRealize Automation
• vRealize Business for Cloud
• vRealize Code Stream
• vRealize Log Insight
• vRealize Network Insight
• vRealize Operations Manager
• vRealize Orchestrator Appliance
• vRealize Suite Lifecycle Manager
• vSphere Data Protection
• vSphere Integrated Containers
• vSphere Replication
A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.
There are either patches available or pending depending on the product line. In order to remediate, click here to see the versions listed in the Fixed Version column of the Resolution Matrix.
Some VMware Virtual Appliances can workaround the vulnerabilities by either disabling SACK or by modifying the built in firewall (if available) in the base OS of the product to drop incoming connections with a low MSS value.