IT administrators have been warned by two of the biggest suppliers of enterprise products of security vulnerabilities.
VMware issued an “important” alert this week for updates after finding 30 of its products are vulnerable to the recently discovered Linux kernel TCP Selective Acknowledgement (SACK) vulnerabilities. Those bugs could lead to a distributed denial of service attack against those products, the company said.
Meanwhile Cisco Systems said it is updating the firmware on a number of its Small Business 250, 350, 350X switches and 550X as well as the FindIT Network Probe after researchers at a security firm discovered that by using a third party software library security certificates from a Huawei Techonologies subsidiary had been included in the Cisco products.
VMware said there are two uniquely identifiable vulnerabilities associated with the Linux kernel implementation of SACK:
- CVE-2019-11477 – SACK Panic – A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
- CVE-2019-11478 – SACK Excess Resource Usage – a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
The good news is that these aren’t easy to exploit: An attacker must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.
The bad news is some devices can at the moment be updated, while others, including some VMware Virtual Appliances, need workarounds by either disabling SACK or by modifying the built-in firewall (if available) in the base operating system of the product to drop incoming connections with a low MSS value.
Affected products are VMware AppDefense, Container Service Extension, Enterprise PKS, Horizon, Hybrid Cloud Extension, Identity Manager, Integrated OpenStack, NSX, Pulse Console, SD-WAN, Skyline Collector, Unified Access Gateway, vCenter Server Appliance, vCloud, vRealize and vSphere products.
The Cisco problem is an example of what can go wrong when software developers use third party or open source libraries in the products, which is common, and shows the need for thorough testing before releasing final code.
The problem was detected by SEC Technologies, which ran its IoT Inspector tool on the firmware in a Cisco 250 Smart Switch. The firmware contained a few X.509 certificates and a corresponding private key in a root folder usually intended for SSH keys, not certificates. The certificates were issued by a gary.wu1(at)huawei.com from Futurewei Technologies, which is a U.S.-based subsidiary of Huawei Technologies.
SEC alerted Cisco, which did an investigation. The certificates and private key were part of the OpenDaylight GitHub open source package, which is used in all Cisco 250/350/350X/550X Series switches are affected. Developers used the certificates for testing the Cisco FindIT Network Probe that comes with the devices.
In its advisory Cisco said the inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was “an oversight by the Cisco FindIT development team. Normally all shipping versions of the Cisco FindIT Network Probe use dynamically created certificates. The latest firmware releases remove the offending certificates.
Separately Cisco said it was also fixing the inclusion of empty password hashes for the users root and user and the unneeded gdbserver and tcpdump packages in new firmware for a number of 250, 350 and 550 switches.