Written by Jan Otte, Thursday 20 June 2019
This security advisory is a reaction on the recently discovered network vulnerabilities in Linux kernel (see below on particular names and links).
These vulnerabilities can, under certain circumstances, be used by an attacker against a range of our routers running current firmware (6.1.9) with the potential result of the router rebooting.
We have already prepared a patch which closes the vulnerabilities. The patch will be included in future firmware versions (6.1.10, 6.2.0) when these are released.
Until the new firmware versions are available, you may apply any of the recommended workaround. The easiest workaround (and also the recommended one) is to disable SACK processing by issuing this command:
echo 0 > /proc/sys/net/ipv4/tcp_sack
Note that the command will affect the settings until reboot. If you want the effect to last over reboot (recommended) you should add the command also to the startup script.
The command disables SACK processing. The impact of disabling SACK processing would not be noticed unless in some corner cases. If you find out that the device performance or throughput is affected considerably, you may try another workaround (please go through the linked articles). Please do not forget to contact support in that case. We will inspect your case and try to find more convenient workaround for your particular setup.
The vulnerabilities discovered are formed in three CVEs: