Overview

The purpose of this notice is to inform our customers of a number of security vulnerabilities that are commonly called the “SACK” vulnerabilities. This notice will cover which Digi products are impacted, what steps customers can take to mitigate the risk, and what actions Digi recommends to address this issue. The following issues have been released:

CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted selective acknowledgements (SACK) may trigger an integer overflow, leading to a denial of service or possible kernel failure (panic).

CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted selective acknowledgements (SACK) may cause a fragmented TCP queue, with a potential result in slowness or denial of service.

CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large, thus consuming CPU or network resources, resulting in slowness or denial of service.

CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The default maximum segment size (MSS) is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface, resulting in slowness or denial of service.

These vulnerabilities allow for a Denial of Service (DoS) attack to be carried out against affected devices. Of the four SACK vulnerabilities, CVE-2019-11477 carries the highest CVE rating of 7.5. None of these vulnerabilities allow for privilege escalation or sensitive data disclosure.

Researcher Credit

These vulnerabilities were discovered by Jonathan Looney at Netflix.
See Netflix’s public bulletin: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Affected Products

The security team at Digi has evaluated this vulnerability to Digi products and determined the overall risk to this vulnerability to Digi products is Medium. This rating is different from the standard CVSS scoring, as US-CERT scoring gave this a 7.8 (high) rating. The US-CERT CVSS scoring is based on devices that serve multiple users. In most uses, the Digi device is used as a single connection/device control. Further, DoS attacks are inherently common among small IoT devices, and these attacks can be done using standard normal networking techniques. DoS attacks have significantly more risk if the service is a multi user service, such as a web server. This is one of the critical reasons for the reduction of the scoring. However, we do recommend steps you can take to protect your device from this attack. See below for more details in the mitigations section.

The following products are impacted by:
CVE-2019-11477 (CVSS 7.8)
CVE-2019-11478 (CVSS 7.5)
CVE-2019-11479 (CVSS 7.5)

Digi IX14 (planned fix release is 19.8)
Digi EX15 (planned fix release is 19.8)
Digi LR54 (planned fix release is 4.8)
Digi WR54 and WR64 (planned fix release is 4.8)
Digi 6300-CX (planned fix release is 19.8)
Digi 6310-DX (planned fix release is 19.8)
Digi 6330-MX (planned fix release is 19.8)
Digi AnywhereUSB Plus 2, 8, and 24
Digi ConnectPort LTS 8, 16, and 32
Digi Passport
Digi CM
Digi Connect IT
WVA
Xbee Gateway/Xbee Industrial Gateway
Digi Embedded Linux (DEL)
Digi Embedded Yocto (DEY)
Digi Embedded Android (DEA)

The following products are only impacted by:
CVE-2019-11479 (CVSS 7.5)

ConnectPort TS
Connect ES
Connect SP
Connect WS
AnywhereUSB (G2)
Connect X4
Connect X2

Note: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support.

Detailed Information on Affected products

Background

Digi maintains a security team that continuously reviews new results as they are found from this threat and test solutions and products for any new and emerging security vulnerabilities. Security is a top priority and something we take very seriously.

Analysis

We have not replicated any of these vulnerabilities, however they are very well understood and so we are assuming all our products listed above are vulnerable and will act accordingly.

Again, these attacks only provide a DoS attack. No data exposure or privilege escalation is possible using these attacks.

Functions impacted:

For every vulnerability, we review each one carefully to determine the impact to our devices and services. We try to make a recommendation to our customers on the anticipated impact of these vulnerabilities. However, since we do not know each specific configuration and data that our customers are using for our products and services, it is always suggested that the customer review their unique situation and understand what the risk could be to their environment. For embedded devices, the function impacted can vary greatly by what features the customer has enabled or not turned on.

TCP connections utilizing SACK. SACK, or Selective Acknowledgement allows networks to run more efficiently by better communicating which TCP segments were received successfully. For more information on SACK, and how these CVEs exploit Linux’s implementation see this article from SANS: https://isc.sans.edu/diary/What+You+Need+To+Know+About+TCP+"SACK+Panic"/25046

Risk

For specific risks to Digi international products, we have classified the risk of this vulnerability to our products as Medium. During our analysis, we determined that this does not expose a DoS attack vector that is easier to exploit than what inherently exists for most IoT devices. Although US-CERT has rated this vulnerability as High (CVSS of 7.8), we believe the real threat, given the nature of Digi devices and our recommended customer hardening, to be much lower.

Risk of the SACK attack on the Digi products:

• If the device is only exposed to trusted networks the attacker has to come from inside these networks

• If the device is exposed to the public Internet, it has to allow an arbitrary TCP connection to the attacker, or the attacker has to spoof an allowed TCP, connection to be vulnerable

Risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:

• Most customers have deployed devices within a network that is not reachable from the Internet.

• Most customers that have deployed devices connected to the public Internet have the public connections locked down, and do not advertise the device’s hostname or IP address.

Suggested Steps to Protect Your Devices

To fix or mitigate devices affected by this vulnerability, we suggest the following steps.

Mitigation Steps

Digi is currently working on firmware updates that fix these vulnerabilities directly. Until then there are some mitigations that can be applied to some Digi devices.

Option 1 Disable SACK
CVE-2019-11477 SACK Panic and CVE-2019-11478 SACK Slowness:

One way to prevent the two larger attacks is to outright disable SACK. This can only be done if your device allows root shell access, like the IX14, EX15, and 6300 line. This can be done the following command

> echo “0” > /proc/sys/net/ipv4/tcp_sack

This fix does not persist across reboots, and so will have to be done every time the device boots.

Option 2 Disallow Low MSS TCP
CVE-2019-11477 SACK Panic, CVE-2019-11478 SACK Slowness and CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values:

Another way to prevent all three attacks that affect Digi devices is to drop any TCP connections that try to connect with low MSS values, as a low MSS value is required for all three attacks. However, this may drop legitimate traffic. It is recommended to test this this solution before deploying. You should also note that you might have to adjust the low range for MSS depending on your environment.

If your device is only accessible through a firewall you can apply a firewall rule to prevent connections with low MSS values. Sample rules are available from Netflix here: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/README.md

If your device supports complex firewall rules, like the LR54, WR45, WR64, IX14, EX15, and 6300 line you can block connections that have a low MSS, as a low MSS is required for the attack.

For the LR54, WR54, and WR64 run the following commands:

> firewall -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
> firewall6 -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
> save config

For the IX14, EX15, and 6300 line run:

> config firewall custom enable true
> config firewall custom rules "iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP"

Resources

If you are interested in learning more about the disclosure, please feel free to visit the web pages below:

• Overall information on the vulnerabilities https://www.kb.cert.org/vuls/id/905115/

• SANS EDU Summary https://isc.sans.edu/diary/What+You+Need+To+Know+About+TCP+"SACK+Panic"/25046

• Digi Security information - https://www.digi.com/resources/security

• Researcher Information - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

• Public information on CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162

If you have any other questions regarding this vulnerability and how it affects Digi hardware products, feel free to contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support. If you have specific questions on the security analysis and/or technical aspects of this note, you can also feel free to contact [email protected]

Last updated: Jul 09, 2019

SACK Vulnerability Patch Status

SACK Vulnerability