Help to detect CVE-2019-11479

Hi all,

Recently,Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. (#CVE-2019-11479 : Excess Resource Consumption Due to Low MSS Values (all Linux versions)

We want to detecting this flaw with Zeek,but looks like there’s no way to get the MSS(Maximum segment size) value of TCP Option,any ideas?

Thanks,

Hi Zer0d0y,

You should be able to pull these values from the connection_SYN_packet event (https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html#id-connection_SYN_packet).

The SYN packet (https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet) contains the MSS value.

I hope this helps.

  • Matt

It just dawned on me. I did this for CVE-2019-11477 the other day. The below should add “mss” and “sack_ok” fields to your CONN log for all TCP connections.
I’m not great at Zeek scripting, so take this with some caution. I’m sure there are folks here on the list that could better optimize this. :slight_smile:

redef record Conn::Info += {
mss: count &optional &log;
sack_ok: bool &optional &log;
};

redef record connection += {
mss: count &optional &log;
sack_ok: bool &optiional &log;
};

event connection_SYN_packet(c: connection, pkt: SYN_packet) {
c$mss = pkt$MSS;
c$sack_ok = pkt$SACK_OK;
}

event connection_state_remove(c: connection) {
if ( c ?$ mss )
c$conn$mss = c$mss;

if (c ?$ sack_ok )
c$conn$sack_ok = c$sack_ok;
}

Matt,

Thanks for the reply.That works!