Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Sophos Central Firewall Manager maintenance scheduled for April 2nd, starting at 3:30am EDT. More info available here.
This article outlines the details of the TCP SACK PANIC kernel vulnerability and how it impacts Sophos products.
Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.
These have been assigned the following CVEs:
Applies to the following Sophos products and versions
Fixed version 126.96.36.199
Sophos is actively working to resolve this issue with high priority.
In the meantime, users can follow the workaround instructions outlined below.
To resolve this vulnerability while a permanent fix is being developed, users can disable selective acknowledgments system-wide for all newly established TCP connections.
Disable selective acknowledgements in the console. This workaround is reboot-persistent.
Note:Disabling SACK may reduce performance in case of packet loss.
set advanced-firewall tcp-selective-acknowledgement off
TCP Selective Acknowledgements: off
set advanced-firewall tcp-selective-acknowledgement on
There are two available workarounds that are reboot-persistent. Each workaround has caveats. Users may prefer one workaround over the other.
This workaround mitigates all three CVE vulnerabilities.
Note: A side effect of this change is that it may disrupt legitimate traffic that relies on low MSS values.
echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
(:USR_OUTPUT - [0:0])
-A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
Disabling Selective ACK
This workaround mitigates only CVE-2019-11477 and CVE 2019-11478.
Note: A side effect of this change is that disabling SACK may result in reduced performance in case of packet loss.
echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
Note: The changes in /etc/sysctl.conf for both workarounds should be removed once the UTM is updated to v9.604, which includes a permanent fix.
Disable selective acknowledgement in the console. This workaround is reboot persistent.
Note: Disabling SACK may reduce performance in case of packet loss.
show advanced-firewall TCP Selective Acknowledgements : off
Use the related workarounds available for the Sophos UTM.
Customers are able to manually mitigate these vulnerabilities on Security VMs by following the below steps:
sudo sysctl -w net.ipv4.tcp_sack=0
Note: This modification will need to be reapplied following every reboot of the Security VM. We are releasing Sophos for Virtual Environments 1.3.2 in July 2019 to address these vulnerabilities.
Sign up to the Sophos Support SMS Notification Service to get the latest information product releases and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. Your input is invaluable and helps us as we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.