-
Notifications
You must be signed in to change notification settings - Fork 0
CVE 2019 14899
This page lists mitigations for the CVE in a simple way, including sources for review.
Initial page : 07 December 2019
Last updated : 07 December 2019
At this date there is very little know except for that the flaw can be mitigated on Linux.
Both IPv4 and IPv6 are impacted.
impacted : network stack shows weakness for both IPv4 and IPv6
affected : Linux, FreeBSD, OpenBSD, MacOS, iOS, Android
tracking : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14899
Follow my Twitter feed @commandline_be for CVE specific posts
Original : OSSEC Mailinglist
Relevant : Technical Response with considerations
DeepDive : Wireguard Forum post
For now i only cover Linux, if you have a documented mitigation for other OS and would like to see it here. Let me know.
Multiple mitigation actions are known and considered viable to implement at this time.
procedural
validate : validate rp_filter to show all values `= 1` from sysctl.
conclude : if rp_filter is not equal to 1 your system is at risk except for `lo.rp_filter = 0` which is okay.
mitigate : set `rp_filter = 1` to enable reverse-path filter for all interfaces.
technical
sysctl -a | grep \\.rp_filter
option : configure or update the sysctl.conf file on your system, usually in /etc or /etc/default
effect : this will permanently enable reverse-path filtering by default for IPv4 network interfaces.
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
option : manually configure `rp_filter=1` for all ipv4 network interfaces.
effect : this mitigation will be gone on next reboot or when a new command overwrites the values.
warning ... this command will have effect on your system ... be careful
sysctl -a | grep \\.rp_filter | grep -v "conf.lo" | sed s/"= 0"/"= 1"/ | sed s/" "//g | xargs sysctl
procedural
validate : if rpfilter is set to DROP in the PREROUTING chain for the mangle table.
executed : ip6tables -L -v -t mangle | grep rpfil
displays : 0 0 DROP all any any anywhere anywhere rpfilter invert
conclude : if the about output is visible your system is not at risk.
mitigate : configure a rule in the prerouting chain for the mangle table.
technical UFW
configure UFW to configure the mangle table by creating the file /etc/ufw/mangle6.rules with below contents. If such a file exists for the mangle table simple copy/paste the rule "-I PREROUTING -m rpfilter --invert -j DROP" to this file.
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw6-before-input
# ufw6-before-output
# ufw6-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*mangle
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines
-I PREROUTING -m rpfilter --invert -j DROP
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
technical IPTables
use the below ip6tables configuration to configure the mangle table for the prerouting chain.
check up on ip6tables-save and ip6tables-apply to make this change permanent on your system(s).
ip6tables -t mangle -I PREROUTING -m rpfilter --invert -j DROP
welcome to the blues, commandline.be at your service