Jonathan Looney, a security expert at Netflix, found three
The most severe flaw, tracked as SACK Panic, could be exploited to remotely trigger a DOS condition and reboot vulnerable systems. The kernel panic flaw affects recent Linux kernels.
“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the security advisory. “The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.”
The denial of service flaw SACK Panic was tracked as CVE-2019-11477 and was rated as important severity, it received a 7.5 CVSS3 base score,
“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the Netflix’s NFLX-2019-001 security advisory.
“The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.”
The SACK Panic vulnerability affects Linux kernels 2.6.29 and later, an attacker could exploit it by sending a crafted sequence of SACK segments on a TCP connection with a small value of TCP MSS that will trigger an integer overflow leading to a kernel panic.
“Apply the patch PATCH_net_1_4
Below the advisories published by major Linux distros and cloud service providers:
The good news for Linux users is that most of the issues found by Netflix were already addressed with security patches. Mitigations are also available for those systems that cannot be immediately patched.
Users and administrator can mitigate the flaw by completely disabling SACK processing on the system or blocking connections with a low MSS. Netflix Information Security provided a series of filters to block the connections. Another mitigation consists of disabling TCP probing.
The remaining issued were respectively tracked as CVE-2019-11478 and CVE-2019-11479, both were rated as moderate severity vulnerabilities. The flaws affect all Linux versions. The CVE-2019-11478 issue could be exploitable by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue. The CVE-2019-11479 issue could be exploited by attackers to trigger a DoS state by sending crafted packets with low MSS values to trigger excessive resource consumption.
CVE-2019-5599, aka SACK Slowness, affects FreeBSD 12 using the RACK TCP Stack. An attacker could exploit it by delivering a crafted sequence of SACKs which will fragment the RACK send map.
“It is possible to send a crafted sequence of
CVE-2019-5599 can be addressed by applying “split_limit
Admins could also temporarily disable the RACK TCP stack.
“Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities,” concludes Netflix Information Security.
(SecurityAffairs – XSS, hacking)