Wireshark-dev: Re: [Wireshark-dev] Wireshark, low MSS and CVE-2019-11477, 11478 and 11479
From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Tue, 11 Feb 2020 20:38:28 +0100
Hi Chris,

I think, it is a good idea and no too complicated to implement !

Cheers

On Mon, Feb 10, 2020 at 8:58 PM Maynard, Chris via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
In light of these 3 CVE’s, CVE-2019-11477, 11478 and 11479[3], and the apparently effective work-around to avoid them according to the recent December 2019 Internet Protocol Journal[4] article, “MSS Values of TCP” by Geoff Huston, should Wireshark add an Expert Info for any TCP MSS value seen of 500 or lower, especially for TCP connections that are terminated via RST, as the low MSS value may be the reason for the TCP connection reset?
 
To quote the article:
 
As for the CVE mitigation advice to refuse a connection attempt when the remote-end MSS value is 500 or lower, I’d say that’s good advice. It seems that the low MSS values are the result of some form of mis­configuration or error, and rather than attempting to mask over the error and persisting with an essentially broken TCP connection that is prone to generating a packet deluge, the best option is to just say “no” at the outset. If we all do that, then the misconfiguration will be quickly identified and fixed, rather than being silently masked over.
 
It's that last sentence that caught my eye and made me think that Wireshark could help quickly identify the MSS misconfiguration if something like an Expert Info were added.
- Chris
 
 
 
 
 
 
 
 
 
 
 
CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe