In light of these 3 CVE’s, CVE-2019-11477, 11478 and 11479[3], and the apparently effective work-around to avoid them according to the recent December 2019 Internet Protocol Journal[4] article, “MSS Values of TCP” by Geoff
Huston, should Wireshark add an Expert Info for any TCP MSS value seen of 500 or lower, especially for TCP connections that are terminated via RST, as the low MSS value may be the reason for the TCP connection reset?
To quote the article:
As for the CVE mitigation advice to refuse a connection attempt when the remote-end MSS value is 500 or lower, I’d say that’s good advice. It seems that the low MSS values are the result
of some form of misconfiguration or error, and rather than attempting to mask over the error and persisting with an essentially broken TCP connection that is prone to generating a packet deluge, the best option is to just say “no” at the outset. If we all
do that, then the misconfiguration will be quickly identified and fixed, rather than being silently masked over.
It's that last sentence that caught my eye and made me think that Wireshark could help quickly identify the MSS misconfiguration if something like an Expert Info were added.
- Chris
CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the
use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.
