Re: Wireshark, low MSS and CVE-2019-11477, 11478 and 11479

[Alexis La Goutte <alexis.lagoutte () gmail com>]

Hi Chris,

I think, it is a good idea and no too complicated to implement !

Cheers

On Mon, Feb 10, 2020 at 8:58 PM Maynard, Chris via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

> In light of these 3 CVE’s, CVE-2019-11477, 11478 and 11479[3], and the
> apparently effective work-around to avoid them according to the recent
> December 2019 Internet Protocol Journal[4] article, *“MSS Values of TCP”*
> by Geoff Huston, should Wireshark add an Expert Info for any TCP MSS value
> seen of 500 or lower, especially for TCP connections that are terminated
> via RST, as the low MSS value may be the reason for the TCP connection
> reset?
>
> To quote the article:
>
> As for the CVE mitigation advice to refuse a connection attempt when the
> remote-end MSS value is 500 or lower, I’d say that’s good advice. It seems
> that the low MSS values are the result of some form of mis­configuration or
> error, and rather than attempting to mask over the error and persisting
> with an essentially broken TCP connection that is prone to generating a
> packet deluge, the best option is to just say “no” at the outset. If we all
> do that, then the misconfiguration will be quickly identified and fixed,
> rather than being silently masked over.
>
> It's that last sentence that caught my eye and made me think that
> Wireshark could help quickly identify the MSS misconfiguration if something
> like an Expert Info were added.
> - Chris
> [1]: *https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477*
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477>
> [2]: *https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478*
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478>
> [3]: *https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479*
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479>
> [4]: *https://ipj.dreamhosters.com/* <https://ipj.dreamhosters.com/>
>
>
>
>
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This message is the property of International Game
> Technology PLC and/or its subsidiaries and may contain proprietary,
> confidential or trade secret information. This message is intended solely
> for the use of the addressee. If you are not the intended recipient and
> have received this message in error, please delete this message from your
> system. Any unauthorized reading, distribution, copying, or other use of
> this message or its attachments is strictly prohibited.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe