Digi International Security Notice
Digi International Security Notice
June 25th, 2019
The purpose of this notice is to inform our customers of a
number of security vulnerabilities that are commonly called the “SACK”
vulnerabilities. This notice will cover which Digi products are impacted, what
steps customers can take to mitigate the risk, and what actions Digi recommends
to address this issue. The following
issues have been released:
CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of
specifically crafted selective acknowledgements (SACK) may trigger an integer
overflow, leading to a denial of service or possible kernel failure (panic).
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess
Resource Usage (all Linux versions). A sequence of specifically crafted
selective acknowledgements (SACK) may cause a fragmented TCP queue, with a
potential result in slowness or denial of service.
CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP
Stack). The TCP loss detection algorithm, Recent ACKnowledgment (RACK), uses
time and packet or sequence counts to detect losses. RACK uses linked lists to
track and identify missing packets. A sequence of specifically crafted acknowledgements
may cause the linked lists to grow very large, thus consuming CPU or network
resources, resulting in slowness or denial of service.
CVE-2019-11479: Excess Resource Consumption Due to Low MSS
Values (all Linux versions). The default maximum segment size (MSS) is
hard-coded to 48 bytes which may cause an increase of fragmented packets. This
vulnerability may create a resource consumption problem in both the CPU and
network interface, resulting in slowness or denial of service.
These vulnerabilities allow
for a Denial of Service (DoS) attack to be carried out against affected
devices. Of the four SACK vulnerabilities, CVE-2019-11477 carries the highest
CVE rating of 7.5. None of these vulnerabilities allow for privilege escalation
or sensitive data disclosure.
These vulnerabilities were discovered by Jonathan Looney at
See Netflix’s public bulletin: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
The security team at Digi has evaluated this vulnerability to
Digi products and determined the overall risk to this vulnerability to Digi products
This rating is different from the standard CVSS scoring, as US-CERT scoring gave
this a 7.8 (high) rating. The US-CERT CVSS scoring is based on devices that
serve multiple users. In most uses, the Digi device is used as a single connection/device
control. Further, DoS attacks are inherently common among small IoT devices,
and these attacks can be done using standard normal networking techniques. DoS
attacks have significantly more risk if the service is a multi user service,
such as a web server. This is one of the critical reasons for the reduction of
the scoring. However, we do recommend steps you can take to protect your device
from this attack. See below for more details in the mitigations section.
The following products are impacted by:
CVE-2019-11478 (CVSS 7.5)
CVE-2019-11479 (CVSS 7.5)
The following products are only impacted by:
Note: If you have any questions on any Digi products and
services that are not listed, please contact us at +1 (952) 912-3456, or via
the web site at www.digi.com/support.
Information on Affected products
Digi maintains a security team that continuously reviews new
results as they are found from this threat and test solutions and products for
any new and emerging security vulnerabilities. Security is a top priority and
something we take very seriously.
We have not replicated any of these vulnerabilities, however
they are very well understood and so we are assuming all our products listed
above are vulnerable and will act accordingly.
Again, these attacks only provide a DoS attack. No data exposure
or privilege escalation is possible using these attacks.
For every vulnerability, we review each one carefully to
determine the impact to our devices and services. We try to make a
recommendation to our customers on the anticipated impact of these
vulnerabilities. However, since we do not know each specific configuration and
data that our customers are using for our products and services, it is always
suggested that the customer review their unique situation and understand what
the risk could be to their environment. For embedded devices, the function
impacted can vary greatly by what features the customer has enabled or not
For specific risks to Digi international products, we have classified
the risk of this vulnerability to our products as Medium.
During our analysis, we determined that this does not expose a DoS attack
vector that is easier to exploit than what inherently exists for most IoT
devices. Although US-CERT has rated this vulnerability as High (CVSS of 7.8), we
believe the real threat, given the nature of Digi devices and our recommended
customer hardening, to be much lower.
Risk of the SACK attack on the Digi products:
If the device is only exposed to trusted networks the attacker
has to come from inside these networks
If the device is exposed to the public Internet, it has to allow
an arbitrary TCP connection to the attacker, or the attacker has to spoof an
allowed TCP, connection to be vulnerable
Risk needs to be determined by the end customer and how they
have chosen to deploy the device within their environment. We make this
determination based on the following criteria:
Most customers have deployed devices within a network that is
not reachable from the Internet.
Most customers that have deployed devices connected to the public
Internet have the public connections locked down, and do not advertise the
device’s hostname or IP address.
To fix or mitigate devices affected by this vulnerability, we
suggest the following steps.
Digi is currently working on firmware updates that fix these
vulnerabilities directly. Until then there are some mitigations that can be
applied to some Digi devices.
Option 1 Disable
CVE-2019-11477 SACK Panic and CVE-2019-11478 SACK Slowness:
One way to prevent the two larger attacks is to outright disable
SACK. This can only be done if your device allows root shell access, like the
IX14, EX15, and 6300 line. This can be done the following command
> echo “0” > /proc/sys/net/ipv4/tcp_sack
This fix does not persist across reboots, and so will have to be
done every time the device boots.
Option 2 Disallow
Low MSS TCP
CVE-2019-11477 SACK Panic, CVE-2019-11478 SACK Slowness and
CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values:
Another way to prevent all three attacks that affect Digi
devices is to drop any TCP connections that try to connect with low MSS values,
as a low MSS value is required for all three attacks. However, this may drop
legitimate traffic. It is recommended to test this this solution before
deploying. You should also note that you might have to adjust the low range for
MSS depending on your environment.
If your device is only accessible through a firewall you can
apply a firewall rule to prevent connections with low MSS values. Sample rules
are available from Netflix here: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/block-low-mss/README.md
If your device supports complex firewall rules, like the LR54, WR45, WR64,
IX14, EX15, and 6300 line you can block connections that have a low MSS, as a
low MSS is required for the attack.
For the LR54, WR54, and WR64 run the following commands:
> firewall -t mangle -A PREROUTING -p tcp -m conntrack
--ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
> firewall6 -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m
tcpmss ! --mss 536:65535 -j DROP
> save config
For the IX14, EX15, and 6300
> config firewall custom enable true
> config firewall custom rules "iptables -t mangle -A PREROUTING -p tcp
-m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP"
If you are interested in learning more about the disclosure,
please feel free to visit the web pages below:
Overall information on the
SANS EDU Summary https://isc.sans.edu/diary/What+You+Need+To+Know+About+TCP+"SACK+Panic"/25046
Digi Security information - https://www.digi.com/resources/security
Researcher Information - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Public information on CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20162
If you have any other questions regarding this vulnerability and
how it affects Digi hardware products, feel free to contact us at +1 (952)
912-3456, or via the web site at www.digi.com/support. If you
have specific questions on the security analysis and/or technical aspects of
this note, you can also feel free to contact email@example.com