* [Cerowrt-devel] sack panic CVEs
@ 2019-06-18 21:23 Dave Taht
0 siblings, 0 replies; only message in thread
From: Dave Taht @ 2019-06-18 21:23 UTC (permalink / raw)
To: cerowrt-devel, bloat
Apparently people are exploiting this in the wild.
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
CeroWrt - if anyone is still running it, does have a web server that
might be vulnerable, same for the ssh port. openwrt as well, well...
*Anybody* with an exposed tcp server of just about any sort on freebsd
or linux seems vulnerable to the first bug, which causes a kernel
panic.
Ironically I had been pushing over on ecn-sane to experiment with
lowering the MSS to keep signal strength up in highly congested
scenarios. Apparently,
someone found another use for the idea.
There is an iptables workaround,, documented here:
https://forum.openwrt.org/t/sack-panic-multiple-tcp-based-remote-denial-of-service-vulnerabilities/39028/7
I remember the "ping O death" which cost me christmas in the early
90s. I've been watching the patches to the kernel land and wishing I
was somewhere else.
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-06-18 21:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-18 21:23 [Cerowrt-devel] sack panic CVEs Dave Taht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox