All Nodegrid OS versions.
Impact
A connection may be disconnected, especially in protocols that use long-lived connections such as BGP.
This is a disputed vulnerability, one which several vendors using the Linux kernel such as Red Hat argued that it does not warrant a fix.
It is important to notice this relies on a feature of the TCP specification, RFC 793.
Mitigation
Qualys reports this as QID 82054.
Adding this in /etc/sysctl.conf will avoid detection by Qualys:
- net.ipv4.tcp_window_scaling = 0
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_max_syn_backlog = 2048
- net.ipv4.tcp_synack_retries = 3
After this change is done, execute:
- /sbin/sysctl -p /etc/sysctl.conf
However, we do not recommend this as the vulnerability is not severe, is disputed by the community, and these changes may cause adverse effects.
The Linux kernel already implements the mitigation proposed in RFC 5961 section 3.2 since version 3.2.37, which includes all Nodegrid versions.
IPSec tunnels and similar tunnels do provide protection against this attack.
TCP MD5 Signature Option as defined in RFC 2385 also provides protection against this attack.
Solutions
There are no comprehensive solutions, and there are no plans to implement one.