2nd Jul 2019 – VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)

Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:

Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

Filter command:
Sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP

Turn off tcp_mtu_probing:
Sysctl net.ipv4.tcp_mtu_probing

Perhaps this is VMWARE. So you must follow below solution by vendor.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.