Wireshark mailing list archives

Wireshark, low MSS and CVE-2019-11477, 11478 and 11479

From: "Maynard, Chris via Wireshark-dev" <wireshark-dev () wireshark org>
Date: Mon, 10 Feb 2020 19:58:03 +0000

In light of these 3 CVE's, CVE-2019-11477, 11478 and 11479[3], and the apparently effective work-around to avoid them 
according to the recent December 2019 Internet Protocol Journal[4] article, "MSS Values of TCP" by Geoff Huston, should 
Wireshark add an Expert Info for any TCP MSS value seen of 500 or lower, especially for TCP connections that are 
terminated via RST, as the low MSS value may be the reason for the TCP connection reset?

To quote the article:

      As for the CVE mitigation advice to refuse a connection attempt when the remote-end MSS value is 500 or lower, 
I'd say that's good advice. It seems that the low MSS values are the result of some form of misconfiguration or error, 
and rather than attempting to mask over the error and persisting with an essentially broken TCP connection that is 
prone to generating a packet deluge, the best option is to just say "no" at the outset. If we all do that, then the 
misconfiguration will be quickly identified and fixed, rather than being silently masked over.

It's that last sentence that caught my eye and made me think that Wireshark could help quickly identify the MSS 
misconfiguration if something like an Expert Info were added.
- Chris
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
[4]: https://ipj.dreamhosters.com/











CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the 
addressee. If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark, low MSS and CVE-2019-11477, 11478 and 11479 Maynard, Chris via Wireshark-dev (Feb 10)
- Re: Wireshark, low MSS and CVE-2019-11477, 11478 and 11479 Alexis La Goutte (Feb 11)