F5 Networks BIG-IP : Excess resource consumption due to low MSS values vulnerability (K35421172) (SACK Slowness)

high Nessus Plugin ID 129313
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote device is missing a vendor-supplied security patch.


Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. (CVE-2019-11479)

The Linux kernel is vulnerable to a flaw that allows attackers sending crafted packets with low maximum segment size (MSS) values to trigger excessive resource consumption.



The BIG-IP system has no exposure to this vulnerability within the Traffic Management Microkernel (TMM), including virtual servers and virtual IP addresses (also known as the data plane). However, the BIG-IP system is vulnerable via the self IP addresses and the management interface (also known as the control plane). A remote attacker can exploit this vulnerability to cause a denial of service (DoS) by sending a sequence of specially crafted TCP packets.

Backend systems accessed via a FastL4 virtual server

By its nature as a full-proxy, the BIG-IP system protects backend systems accessed through a standard virtual server, as any attacker's TCP connection would be terminated at the BIG-IP system. However, backend systems accessed via a FastL4 virtual server(a virtual server configured with a FastL4 profile) are exposed by default as the attack traffic is forwarded as-is to the backend system.

Traffix SDC

A remote attacker can exploit this vulnerability to cause a DoS by sending a sequence of specially crafted TCP packets.


Upgrade to one of the non-vulnerable versions listed in the F5 Solution K35421172.

See Also


Plugin Details

Severity: High

ID: 129313

File Name: f5_bigip_SOL35421172.nasl

Version: 1.5

Type: local

Published: 9/25/2019

Updated: 2/12/2020

Dependencies: f5_bigip_detect.nbin

Configuration: Enable paranoid mode

Risk Information


Risk Factor: Medium

Score: 4.4


Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:U/RL:OF/RC:C


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2019

Vulnerability Publication Date: 6/19/2019

Reference Information

CVE: CVE-2019-11479