Notice: Sophos UTM 9 Kernel Panic Vulnerability - TCP SACK PANIC - Multiple CVEs

6/27/2019 Update - See the bottom section for new information

 

Original post


 

Hello all.

 

Sophos UTM 9 is running a (modified?) Linux kernel which is currently susceptible to a slew of CVEs disclosed by Netflix: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Another outline of this issue can be read here: https://access.redhat.com/security/vulnerabilities/tcpsack

 

To confirm that your version of the UTM is vulnerable, please do the following:

  1. SSH into your UTM (Sophos has a decent guide for Windows users)
  2. Type in this command:
    cat /proc/sys/net/ipv4/tcp_sack
  3. If stdout shows a value of 1 then SACK is enabled.

 

I am currently on hold with the Technical team, waiting to determine if we will be allowed to turn SACK off.

 

Steps for mitigation


 

Sophos has sent out an email regarding this situation and the products affected. Their link to the new knowledgebase article contains details about steps you can take to mitigate these vulnerabilities until the next release.

In our situation, we went ahead and disabled MTU Probing altogether. Monitoring has shown no drop in performance, and our users have not noticed any decrease in bandwidth.

The steps they lay out for this are:

  • Disable MTU Probing:
    • echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
    • sysctl -p
  • Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:
    • -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

We have not implemented the other options. Consider your own situation and services before choosing what to disable.

Note: If you wish to make these changes, you must enable ssh via the web manager and login to the console.

  • Hi  

    Thank for you reaching out to share this with our Community!

    Yes, our team is actively investigating and there should be more information available to provide tomorrow. Please stay tuned.

    Regards,

  • Thank you for raising the question!

  • In reply to FloSupport:

    Any new information since "tomorrow"? ;)

  • In reply to EdmundSackbauer:

    Hey  

    My apologies for the delayed response!

    Yes, we created this thread to provide more information:

    Regards,

  • In reply to Alexander Busch:

    I tried to add this command but not working. Can anyone assist me step by step.. Im new here for this command

    Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:

    • -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
  • In reply to Muhammad Ramzan Razali:

    Hi Muhammad and welcome to the UTM Community!

    You need to use an editor.  Look up the commands for the Linux vi editor and then, as root, enter the following at the command line:

    edit /var/mdw/etc/iptables/iptable.filter

    Cheers - Bob

  • In reply to LuCar Toni:

    Thanks for letting us know, Toni.

    If the mitigation in the first post here, limiting MSS size, was done, should any of that be undone after upgrading to 9.604?

    UPDATE a few minutes later:  After the Up2Date is applied, the lines added to sysctl.conf and iptable.filter are gone, so the answer to my question is apparently "no."

    Cheers - Bob

  • In reply to BAlfson:

    The Up2Date seems to have hung 33 seconds in:

    UPDATE a few minutes later: Apparently it completed successfully????

    sys-9.603-9.604-1.2.1.tgz (Jul 11 15:31)

    Cheers - Bob

  • In reply to BAlfson:

    Hi Everybody,

    unfortunately, I have to ask the same question again, because it has not yet been answered:

    If the mitigation in the first post here, limiting MSS size, was done, should any of that be undone after upgrading to 9.604?

     

    In the Update Information stand nothing:

    community.sophos.com/.../utm-up2date-9-604-released

     

    In the community article this was the only information about this:

    community.sophos.com/.../134237

    Note: The changes in /etc/sysctl.conf for both workarounds should be removed once the UTM is updated to v9.604, which includes a permanent fix.

    But the MSS where changed in the /var/mdw/etc/iptables/iptable.filter not in the /etc/sysctl.conf !

     

    So it is possible to get a clear simple statement what has to be undone before the update, it is not that if we do something wrong may have hundreds of computer problems!

    Sorry but this unnecessary research consumes precious time

    Thanks Dirk

  • In reply to Dirk L:

    Hallo Dirk,

    I think the following will show that iptable.filter is corrected to standard in 9.605.

    grep 'mss 1\:500' /var/mdw/etc/iptables/iptable.filter

    The following will likely indicate that you need to delete the added line in sysctl.conf.

    tail -1 /etc/sysctl.conf

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    please excuse me but I do not know what is so difficult to a simple desired answer.
    Do i have to remove the iptables changes yes or no?

    I think the following will show that iptable.filter is corrected to standard in 9.605.

    This means you have installed a new 9.605 an there are the changes by default in the /var/mdw/etc/iptables/iptable.filter, so I have not to remove my changes? Or should I prefer to remove my changes before the update, so it does not fail?

    the sysctl.conf must be returned to the original state yes or no.
    tail -1 /etc/sysctl.conf # this is no help to show the last line, especially since this is not delivered as described empty

     

    Try and Error are not my ways of working.

    Thanks Dirk

  • In reply to Dirk L:

    Naja, Dirk, Du weißt schon daß ich kein Sophos-Angestellter bin - wah ?

    All I can tell you is what I saw on my lab and our production devices.  The commands I gave will tell you whether things are in their original states or should be changed.

    The grep on iptables.filter should return nothing, indicating that the 9.605 Up2Date returned that file to its original setting.

    The tail -1 /etc/sysctl.conf command should show the line that you added before and that you will now want to remove.

    Cheers - Bob