Digi International Security Notice
Digi International Security Notice
CVE-2019-11477
CVE-2019-11478
CVE-2019-5599
CVE-2019-11479
June 25th, 2019
Overview
The purpose of this notice is to inform our customers of a
number of security vulnerabilities that are commonly called the “SACK”
vulnerabilities. This notice will cover which Digi products are impacted, what
steps customers can take to mitigate the risk, and what actions Digi recommends
to address this issue. The following
issues have been released:
CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of
specifically crafted selective acknowledgements (SACK) may trigger an integer
overflow, leading to a denial of service or possible kernel failure (panic).
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess
Resource Usage (all Linux versions). A sequence of specifically crafted
selective acknowledgements (SACK) may cause a fragmented TCP queue, with a
potential result in slowness or denial of service.
CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP
Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses
time and packet or sequence counts to detect losses. RACK uses linked lists to
track and identify missing packets. A sequence of specifically crafted acknowledgements
may cause the linked lists to grow very large, thus consuming CPU or network
resources, resulting in slowness or denial of service.
CVE-2019-11479: Excess Resource Consumption Due to Low MSS
Values (all Linux versions). The default maximum segment size (MSS) is
hard-coded to 48 bytes which may cause an increase of fragmented packets. This
vulnerability may create a resource consumption problem in both the CPU and
network interface, resulting in slowness or denial of service.
These vulnerabilities allow
for a Denial of Service (DoS) attack to be carried out against affected
devices. Of the four SACK vulnerabilities, CVE-2019-11477 carries the highest
CVE rating of 7.5. None of these vulnerabilities allow for privilege escalation
or sensitive data disclosure.
Researcher Credit
These vulnerabilities were discovered by Jonathan Looney at
Netflix.
See Netflix’s public bulletin: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Affected Products
The security team at Digi has evaluated this vulnerability to
Digi products and determined the overall risk to this vulnerability to Digi products
is Medium.
This rating is different from the standard CVSS scoring, as US-CERT scoring gave
this a 7.8 (high) rating. The US-CERT CVSS scoring is based on devices that
serve multiple users. In most uses, the Digi device is used as a single connection/device
control. Further, DoS attacks are inherently common among small IoT devices,
and these attacks can be done using standard normal networking techniques. DoS
attacks have significantly more risk if the service is a multi user service,
such as a web server. This is one of the critical reasons for the reduction of
the scoring. However, we do recommend steps you can take to protect your device
from this attack. See below for more details in the mitigations section.
The following products are impacted by:
CVE-2019-11477
(CVSS 7.8)
CVE-2019-11478 (CVSS 7.5)
CVE-2019-11479 (CVSS 7.5)
- Digi IX14 (planned fix release is 19.8)
- Digi EX15 (planned fix release is 19.8)
- Digi LR54 (planned fix release is 4.8)
- Digi WR54 and WR64 (planned
fix release is 4.8)
- Digi 6300-CX (planned fix release is 19.8)
- Digi 6310-DX (planned fix release is 19.8)
- Digi 6330-MX (planned fix release is 19.8)
- Digi AnywhereUSB
Plus 2, 8, and 24
- Digi ConnectPort
LTS 8, 16, and 32
- Digi Passport
- Digi CM
- Digi Connect IT
- WVA
- Xbee Gateway/Xbee
Industrial Gateway
- Digi Embedded Linux
(DEL)
- Digi Embedded Yocto
(DEY)
- Digi Embedded Android
(DEA)
The following products are only impacted by:
CVE-2019-11479
(CVSS 7.5)
- ConnectPort TS
- Connect ES
- Connect SP
- Connect WS
- AnywhereUSB (G2)
- Connect X4
- Connect X2
Note: If you have any questions on any Digi products and
services that are not listed, please contact us at +1 (952) 912-3456, or via
the web site at www.digi.com/support.
Detailed
Information on Affected products
Background
Digi maintains a security team that continuously reviews new
results as they are found from this threat and test solutions and products for
any new and emerging security vulnerabilities. Security is a top priority and
something we take very seriously.
Analysis
We have not replicated any of these vulnerabilities, however
they are very well understood and so we are assuming all our products listed
above are vulnerable and will act accordingly.
Again, these attacks only provide a DoS attack. No data exposure
or privilege escalation is possible using these attacks.
Functions impacted:
For every vulnerability, we review each one carefully to
determine the impact to our devices and services. We try to make a
recommendation to our customers on the anticipated impact of these
vulnerabilities. However, since we do not know each specific configuration and
data that our customers are using for our products and services, it is always
suggested that the customer review their unique situation and understand what
the risk could be to their environment. For embedded devices, the function
impacted can vary greatly by what features the customer has enabled or not
turned on.
Risk
For specific risks to Digi international products, we have classified
the risk of this vulnerability to our products as Medium.
During our analysis, we determined that this does not expose a DoS attack
vector that is easier to exploit than what inherently exists for most IoT
devices. Although US-CERT has rated this vulnerability as High (CVSS of 7.8), we
believe the real threat, given the nature of Digi devices and our recommended
customer hardening, to be much lower.
Risk of the SACK attack on the Digi products:
•
If the device is only exposed to trusted networks the attacker
has to come from inside these networks
•
If the device is exposed to the public Internet, it has to allow
an arbitrary TCP connection to the attacker, or the attacker has to spoof an
allowed TCP, connection to be vulnerable
Risk needs to be determined by the end customer and how they
have chosen to deploy the device within their environment. We make this
determination based on the following criteria:
•
Most customers have deployed devices within a network that is
not reachable from the Internet.
•
Most customers that have deployed devices connected to the public
Internet have the public connections locked down, and do not advertise the
device’s hostname or IP address.
Suggested Steps to Protect Your
Devices
To fix or mitigate devices affected by this vulnerability, we
suggest the following steps.
Mitigation Steps
Digi is currently working on firmware updates that fix these
vulnerabilities directly. Until then there are some mitigations that can be
applied to some Digi devices.
Option 1 Disable
SACK
CVE-2019-11477 SACK Panic and CVE-2019-11478 SACK Slowness:
One way to prevent the two larger attacks is to outright disable
SACK. This can only be done if your device allows root shell access, like the
IX14, EX15, and 6300 line. This can be done the following command
> echo “0” > /proc/sys/net/ipv4/tcp_sack
This fix does not persist across reboots, and so will have to be
done every time the device boots.
Option 2 Disallow
Low MSS TCP
CVE-2019-11477 SACK Panic, CVE-2019-11478 SACK Slowness and
CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values:
Another way to prevent all three attacks that affect Digi
devices is to drop any TCP connections that try to connect with low MSS values,
as a low MSS value is required for all three attacks. However, this may drop
legitimate traffic. It is recommended to test this this solution before
deploying. You should also note that you might have to adjust the low range for
MSS depending on your environment.
If your device is only accessible through a firewall you can
apply a firewall rule to prevent connections with low MSS values. Sample rules
are available from Netflix here: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/README.md
If your device supports complex firewall rules, like the LR54, WR45, WR64,
IX14, EX15, and 6300 line you can block connections that have a low MSS, as a
low MSS is required for the attack.
For the LR54, WR54, and WR64 run the following commands:
> firewall -t mangle -A PREROUTING -p tcp -m conntrack
--ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
> firewall6 -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m
tcpmss ! --mss 536:65535 -j DROP
> save config
For the IX14, EX15, and 6300
line run:
> config firewall custom enable true
> config firewall custom rules "iptables -t mangle -A PREROUTING -p tcp
-m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP"
Resources
If you are interested in learning more about the disclosure,
please feel free to visit the web pages below:
•
Overall information on the
vulnerabilities https://www.kb.cert.org/vuls/id/905115/
•
SANS EDU Summary https://isc.sans.edu/diary/What+You+Need+To+Know+About+TCP+"SACK+Panic"/25046
•
Digi Security information - https://www.digi.com/resources/security
•
Researcher Information - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
•
Public information on CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162
If you have any other questions regarding this vulnerability and
how it affects Digi hardware products, feel free to contact us at +1 (952)
912-3456, or via the web site at www.digi.com/support. If you
have specific questions on the security analysis and/or technical aspects of
this note, you can also feel free to contact security@digi.com
Last updated:
Jul 09, 2019