[Wireshark-dev] Wireshark, low MSS and CVE-2019-11477, 11478 and 11479

Mon, 10 Feb 2020 11:58:40 -0800 

In light of these 3 CVE's, CVE-2019-11477, 11478 and 11479[3], and the 
apparently effective work-around to avoid them according to the recent December 
2019 Internet Protocol Journal[4] article, "MSS Values of TCP" by Geoff Huston, 
should Wireshark add an Expert Info for any TCP MSS value seen of 500 or lower, 
especially for TCP connections that are terminated via RST, as the low MSS 
value may be the reason for the TCP connection reset?

To quote the article:

      As for the CVE mitigation advice to refuse a connection attempt when the 
remote-end MSS value is 500 or lower, I'd say that's good advice. It seems that 
the low MSS values are the result of some form of misconfiguration or error, 
and rather than attempting to mask over the error and persisting with an 
essentially broken TCP connection that is prone to generating a packet deluge, 
the best option is to just say "no" at the outset. If we all do that, then the 
misconfiguration will be quickly identified and fixed, rather than being 
silently masked over.

It's that last sentence that caught my eye and made me think that Wireshark 
could help quickly identify the MSS misconfiguration if something like an 
Expert Info were added.
- Chris
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
[4]: https://ipj.dreamhosters.com/











CONFIDENTIALITY NOTICE: This message is the property of International Game 
Technology PLC and/or its subsidiaries and may contain proprietary, 
confidential or trade secret information. This message is intended solely for 
the use of the addressee. If you are not the intended recipient and have 
received this message in error, please delete this message from your system. 
Any unauthorized reading, distribution, copying, or other use of this message 
or its attachments is strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to